A network deployment method, device, server and medium

Abstract

The application provides a network deployment method, device, server and medium, and relates to the field of communication.The network deployment method comprises the following steps: obtaining a first service and a second service; calling a virtual infrastructure manager (VIM) and a software defined network (SDN) controller to create a first virtual router and a second virtual router; calling a security controller to create a virtual firewall in the case that the first service and the second service have security interaction requirements; calling the VIM, the SDN controller and the security controller to establish a first logical link and a second logical link; the first logical link is a logical link interconnecting the first virtual router and the virtual firewall, and the second logical link is a logical link interconnecting the second virtual router and the virtual firewall.In the embodiment of the application, the virtual routers of different services share the virtual firewall, so that the vFW resource occupation can be effectively reduced, and the network deployment cost is reduced.

Description

Technical Field

[0001] This invention relates to the field of communication technology, and in particular to a network deployment method, device, server, and medium. Background Technology

[0002] With the development of communication technology, network edge cloud services are growing rapidly. In existing network edge clouds, the security logic model is one virtual router (vRouter) corresponding to one virtual firewall (vFW). Communication processes such as UPF (User Plane Function) / MEP (Message Exchange Pattern) communication within the network edge cloud, enterprise business communication, and communication between the edge cloud UPF / enterprise business and external enterprise campus / Internet all require secure access control through the firewall. That is, each enterprise leased line (UPF-enterprise campus) requires 2 vFW resources, and each enterprise business requires 4 vFW resources. For example, a 100G UPF shared resource pool supporting 40 leased lines and 100 enterprise businesses would require nearly 500 vFWs. This places high demands on the virtual specifications of hardware firewalls (FWs), which most hardware FW manufacturers cannot meet.

[0003] This shows that existing network deployment methods have high requirements for the virtual specifications of hardware firewalls, resulting in high network deployment costs. Summary of the Invention

[0004] This invention provides a network deployment method, device, server, and medium to address the problem that existing network deployment methods have high virtual specification requirements for hardware firewalls, resulting in high network deployment costs.

[0005] To solve the above-mentioned technical problems, the present invention is implemented as follows:

[0006] In a first aspect, embodiments of the present invention provide a network deployment method, the method comprising:

[0007] Acquire first and second business services;

[0008] Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router;

[0009] If the first service and the second service have a security interaction requirement, call the security controller to create a virtual firewall;

[0010] The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link.

[0011] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0012] Optionally, the step of invoking the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first virtual router and the second virtual router includes:

[0013] Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0014] The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

[0015] Optionally, the step of invoking the security controller to create a virtual firewall includes:

[0016] Send a second instruction message to the security controller to create a virtual firewall;

[0017] The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

[0018] Optionally, the invocation of the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link includes:

[0019] Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected;

[0020] Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side;

[0021] Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side;

[0022] The first logical link is established based on the first interconnection interface and the third interconnection interface;

[0023] The second logical link is established based on the second interconnection interface and the fourth interconnection interface;

[0024] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0025] Optionally, the step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the docking network resources includes:

[0026] Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller;

[0027] The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0028] The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes:

[0029] Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller;

[0030] The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0031] In a second aspect, embodiments of the present invention provide a network deployment device, comprising:

[0032] The acquisition module is used to acquire the first and second services;

[0033] The first calling module is used to call the Virtual Infrastructure Manager (VIM) and the Software Defined Network (SDN) controller to create the first virtual router and the second virtual router.

[0034] The second calling module is used to call the security controller to create a virtual firewall when the first service and the second service have a security interaction requirement.

[0035] The third invocation module is used to invoke the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link.

[0036] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0037] Optionally, the first calling module includes:

[0038] The first instruction module is used to send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0039] The first configuration module is used by the SDN controller to generate first configuration information based on the first indication information.

[0040] The first sending module is used to send the first configuration information to the data center gateway DC-GW to create a first virtual router and a second virtual router.

[0041] Optionally, the second calling module includes:

[0042] The second instruction module is used to send a second instruction message for creating a virtual firewall to the security controller;

[0043] The second configuration module is used by the security controller to generate second configuration information based on the second indication information.

[0044] The second sending module is used to send the second configuration information to the hardware firewall to create the virtual firewall.

[0045] Optional, third calling modules include:

[0046] The resource allocation module is used to allocate and determine the network resources to be connected based on the network topology and working model of the data center gateway (DC-GW) and the hardware firewall.

[0047] The first invocation submodule is used to invoke the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the network resources being connected;

[0048] The second calling submodule is used to call the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources.

[0049] The first establishment module is used to establish the first logical link based on the first interconnection interface and the third interconnection interface;

[0050] The second establishment module is used to establish the second logical link based on the second interconnection interface and the fourth interconnection interface;

[0051] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0052] Optionally, the first calling submodule includes:

[0053] The third instruction module is used to send third instruction information for creating the first interconnection interface and the second interconnection interface to the VIM and the SDN controller according to the interconnection network resources.

[0054] The third configuration module is used by the SDN controller to generate third configuration information based on the third indication information.

[0055] The third sending module is used to send the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0056] The second calling submodule includes:

[0057] The fourth instruction module is used to send fourth instruction information for creating a third interconnection interface and a fourth interconnection interface to the security controller based on the network resources being connected;

[0058] The fourth instruction module is used by the security controller to generate fourth configuration information based on the fourth instruction information.

[0059] The fourth sending module is used to send the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0060] Thirdly, embodiments of the present invention provide an electronic device, including a processor.

[0061] The processor is used to acquire the first service and the second service;

[0062] Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router;

[0063] If the first service and the second service have a security interaction requirement, call the security controller to create a virtual firewall;

[0064] The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link.

[0065] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0066] Optionally, the step of invoking the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first virtual router and the second virtual router includes:

[0067] Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0068] The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

[0069] Optionally, the step of invoking the security controller to create a virtual firewall includes:

[0070] Send a second instruction message to the security controller to create a virtual firewall;

[0071] The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

[0072] Optionally, the invocation of the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link includes:

[0073] Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected;

[0074] Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side;

[0075] Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side;

[0076] The first logical link is established based on the first interconnection interface and the third interconnection interface;

[0077] The second logical link is established based on the second interconnection interface and the fourth interconnection interface;

[0078] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0079] Optionally, the step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the docking network resources includes:

[0080] Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller;

[0081] The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0082] The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes:

[0083] Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller;

[0084] The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0085] Fourthly, embodiments of the present invention provide a server, including a cloud management platform, a Virtual Infrastructure Manager (VIM), a Software-Defined Networking (SDN) controller, and a security controller;

[0086] The cloud management platform is used for:

[0087] Acquire first and second business services;

[0088] Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router;

[0089] When the first service and the second service have a security interaction requirement, the security controller is invoked to create a virtual firewall;

[0090] The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link.

[0091] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0092] Optionally, the step of invoking the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first virtual router and the second virtual router includes:

[0093] Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0094] The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

[0095] Optionally, the step of invoking the security controller to create a virtual firewall includes:

[0096] Send a second instruction message to the security controller to create a virtual firewall;

[0097] The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

[0098] Optionally, the invocation of the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link includes:

[0099] Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected;

[0100] Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side;

[0101] Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side;

[0102] The first logical link is established based on the first interconnection interface and the third interconnection interface;

[0103] The second logical link is established based on the second interconnection interface and the fourth interconnection interface;

[0104] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0105] Optionally, the step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the docking network resources includes:

[0106] Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller;

[0107] The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0108] The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes:

[0109] Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller;

[0110] The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0111] Fifthly, embodiments of the present invention provide an electronic device, including: a processor, a memory, and a program stored in the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the network deployment method as described in the first aspect above.

[0112] In a sixth aspect, embodiments of the present invention provide a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the network deployment method described in the first aspect above.

[0113] In this embodiment of the invention, a first service and a second service are obtained; a Virtual Infrastructure Manager (VIM) and a Software-Defined Networking (SDN) controller are invoked to create a first virtual router and a second virtual router; if the first service and the second service have security interaction requirements, a security controller is invoked to create a virtual firewall; the VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link; wherein, the first virtual router is the virtual router corresponding to the first service, and the second virtual router is the virtual router corresponding to the second service; the first logical link is the logical link connecting the first virtual router and the virtual firewall, and the second logical link is the logical link connecting the second virtual router and the virtual firewall. In this embodiment of the invention, by having virtual routers for different services share a virtual firewall, the vFW resource consumption can be effectively reduced, thereby reducing network deployment costs. Attached Figure Description

[0114] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments of the present invention will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0115] Figure 1 This is an architecture diagram of a network deployment provided by existing technology;

[0116] Figure 2 This is an architecture diagram of another network deployment provided by existing technology;

[0117] Figure 3 This is an architecture diagram of another network deployment provided by existing technology;

[0118] Figure 4 This is a schematic diagram of a secure interaction provided by existing technology;

[0119] Figure 5 This is a flowchart of a network deployment method provided in an embodiment of the present invention;

[0120] Figure 6 This is a network deployment architecture diagram provided by an embodiment of the present invention;

[0121] Figure 7 This is a schematic diagram of a network deployment provided by an embodiment of the present invention;

[0122] Figure 8 This is a schematic diagram of a secure interaction provided by an embodiment of the present invention;

[0123] Figure 9 This is a schematic diagram of a network deployment device provided in an embodiment of the present invention;

[0124] Figure 10 This is a schematic diagram of an electronic device provided in an embodiment of the present invention. Detailed Implementation

[0125] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0126] For ease of understanding, the following describes some aspects of the embodiments of the present invention:

[0127] In existing technologies, such as Figure 1 As shown, Neutron is the component in the OpenStack project responsible for providing network services. It provides network services through plugins and agent mechanisms. Among them, the plugins involved in router-based security access control are L3 and Fwaas. The L3 plugin is used to create vRouter, providing routing services between Neutron subnets and FloatingIP / NAT services for external access. Fwaas can be used to establish and manage vFW and associate vFW with vRouter, filtering layer 3 and layer 4 traffic at the subnet boundary to provide network security protection.

[0128] When cloud-based data center gateways (DC-GW) and firewalls (FW) are deployed in hardware form, the industry manages DC-GW by connecting to an SDN (Software Defined Network) controller via an L3 plugin, and connects to the hardware FW via a security controller or Fwaas plugin. The L3 plugin and Fwaas plugin define private interfaces to work together to automate the deployment of FWaas services and NAT / FloatingIP services.

[0129] like Figure 2 As shown, the security logic model in OpenStack is one vRouter corresponding to one vFW.

[0130] For north-south export over-the-wall business, such as Figure 2As shown, the interaction between a VNF (Virtualized Network Function) / APP and an external network is used as an example. Each of the internal and external vRouters corresponds to a vFW (vFW_in and vFW_ext), and communication is achieved through the internal vFW connecting to the external vFW (e.g., as shown). Figure 2 In this context, VNFs or APPs communicate with external networks via vFW_in and vFW_ext; for east-west communication between vRouters of different tenants (VNF1 and APP), each corresponds to a vFW, and communication is achieved through the two vFWs (e.g., ...). Figure 2 In this process, VNF and APP communicate with each other through vFW_in1 and vFW_in2.

[0131] In this context, north-south outbound access via the data center can be understood as accessing services outside the data center, while east-west cross-wall access between different tenants via vRouters can be understood as accessing services inside the data center. Different tenants within the data center can be different enterprises.

[0132] like Figure 3 As shown, VNF network elements (such as UPF and MEP) and enterprise services are deployed in the network edge cloud. UPF and MEP belong to the Trust domain, while enterprise services belong to the DMZ (demilitarized zone) domain. External enterprise campuses and the Internet belong to the untrust domain. Interactions between UPF / MEP and enterprise services within the edge cloud, and between UPF / enterprise services within the edge cloud and external enterprise campuses / Internet, require secure access control through the firewall (FW). Furthermore, each enterprise leased line (UPF-enterprise campus) and each enterprise service's access to the Internet requires a separate external exit for isolation. Enterprise leased line services and enterprise service access to the Internet / campus are north-south oriented, while UPF / MEP traffic to enterprise services is east-west oriented between different VPCs (Virtual Private Clouds). According to the OpenStack firewall-crossing logic model, north-south internal and external vRouters, as well as different VPCs, cannot share vFW resources. Different VPCs can be understood as corresponding to different vRouters.

[0133] Each dedicated line requires 2 vFW resources, and each enterprise service requires 4 vFW resources. For example, Figure 4As shown, the Enterprise Y leased line between Enterprise Y campus and UPF requires Enterprise Y leased line vfw_ext and Enterprise Y leased line vfw_in. Interoperability between Enterprise X_app (i.e., enterprise business) and UPF / MEP requires MEP fw_Enterprise X and Enterprise X vfw_in. Interoperability between Enterprise X_app and the Internet requires Enterprise X vfw_Internet and Enterprise X vfw_out. Assuming a 100G UPF shared resource pool supports 40 leased lines, 100 enterprise businesses would require nearly 500 vFWs, placing high demands on the virtual specifications of the hardware firmware, which most hardware firmware manufacturers cannot meet.

[0134] In this embodiment of the invention, a network deployment method, device, server, and medium are proposed to solve the problem that existing network deployment methods have high virtual specification requirements for hardware firewalls, resulting in high network deployment costs.

[0135] See Figure 5 , Figure 5 This is a flowchart of a network deployment method provided in an embodiment of the present invention, such as... Figure 5 As shown, the method includes the following steps:

[0136] Step 501: Obtain the first and second services.

[0137] In this embodiment of the invention, the first service and the second service refer to services that need to be deployed in the network, especially services that need to be deployed on the edge cloud.

[0138] like Figure 3 As shown, the first service mentioned above can be any one of enterprise park services, internet services, VNF network element services, or enterprise services. Similarly, the second service mentioned above can also be any one of enterprise park services, internet services, VNF network element services, or enterprise services. The first and second services mentioned above are different services; they can be different services of the same type, or they can be different services of different types.

[0139] Step 502: Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create the first virtual router and the second virtual router;

[0140] The first virtual router is the virtual router corresponding to the first service, and the second virtual router is the virtual router corresponding to the second service.

[0141] In embodiments of the present invention, such as Figure 6As shown, the cloud management platform can call the Virtualized Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first and second virtual routers. The cloud management platform is software on a server. The execution entity for each step in this embodiment can also be either the cloud management platform or the server.

[0142] Optionally, the cloud management platform, VIM, SDN controller, and security controller are all software deployed on the server.

[0143] Routers connect to the network of virtual machines (VMs) and are related to VMs. In OpenStack, Nova is responsible for VM creation, while Neutron is responsible for networking. They need to work together. The cloud management platform calls VIM (Neutron) to assist in creating virtual routers (vRouters). Different virtual routers are created for different services. For example, a first virtual router (vRouter1) and a second virtual router (vRouter2) are created for the first and second services, respectively.

[0144] Optionally, the step of invoking the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first virtual router and the second virtual router includes:

[0145] Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0146] The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

[0147] In this embodiment of the invention, a first virtual router and a second virtual router are collaboratively created through a cloud management platform, VIM, SDN, and DC-GW. The DC-GW can be located on a separate hardware device. The cloud platform and VIM / SDN controller are used to create virtual vRouter objects during the collaborative vRouter creation process, while the DC-GW hardware is used to create the vRouters.

[0148] The cloud management platform creates service vRouter1 and vRouter2 (objects) and calls the VIM / SDN controller to create the corresponding vRouter (objects). The cloud management platform invokes the VIM / SDN controller by sending a first instruction message to the VIM / SDN controller. The first instruction message instructs the VIM / SDN controller to create vRouter1 and vRouter2 (objects). The VIM can act as an intermediary between the cloud management platform and the SDN controller, used to transparently transmit the first instruction message issued by the cloud management platform to the SDN controller. Based on the first instruction message, the SDN controller generates the relevant configuration information for creating service vRouter1 and vRouter2 and sends the relevant configuration information to the DC-GW, thereby realizing the collaborative creation of the first and second virtual routers.

[0149] Step 503: If the first service and the second service have a security interaction requirement, call the security controller to create a virtual firewall.

[0150] In this embodiment of the invention, the aforementioned security interaction requirement can be understood as the requirement to interact through a firewall, and the interaction can be understood as a process such as mutual access or communication.

[0151] The process of determining whether the first and second services have a security interaction requirement can be as follows: First, the cloud platform can directly obtain the security interaction requirements of the corresponding services when acquiring the first and second services from the server or edge cloud. Second, it can generate a virtual firewall for the newly added security interaction requirements after establishing vRouters for the relevant services. That is, the cloud platform can directly know whether there is a security interaction requirement between the two services after acquiring them, and if it determines that there is a security interaction requirement, it can directly create vRouter1, vRouter2, and a shared vFW corresponding to the two services. Alternatively, the cloud platform can first establish vRouters for the two services after acquiring them, and then determine whether to establish a shared vFW based on whether there is a security interaction requirement, or further establish a shared vFW if a new security interaction requirement is added later.

[0152] In this embodiment of the invention, a virtual firewall is created by directly calling the security controller through the cloud management platform. This is different from the existing technology of creating a virtual firewall (vFW) through Neutron. This makes it possible for multiple vRouters to share a vFW, thereby effectively reducing the resource consumption of vFW.

[0153] For example, in this embodiment of the invention, north-south internal and external routers share vFW resources, different VPCs share vFW resources when communicating with each other, and independent vFW resources are still retained even when they do not communicate with each other (for example, different enterprise leased lines use different vFW resources). For example, MEP and Enterprise X share Enterprise X vFW_in when communicating with each other, and the enterprise Internet north-south routes share Enterprise X vFW_out. In this way, the vFW resource usage can be halved.

[0154] like Figure 2 As shown, the existing vRouter and vFW have a one-to-one relationship, while in the embodiments of this invention, as... Figure 7 As shown, different vRouters (vRouter1 and vRouter2) can share the same vFW, that is, different VPCs share vFW, realizing a many-to-one relationship between vRouter and vFW, which can effectively reduce vFW resource consumption.

[0155] For example, such as Figure 8 As shown, north-south internal and external routers (Enterprise Y leased line router_ext and Enterprise Y leased line router_in) share vFW resources (Enterprise Y leased line vfw_in), and different VPCs (router_MEP_UPF, MEP_router_Enterprise X, and Enterprise X router_in) mutually access and share vFW resources (Enterprise X vfw_in). This is relative to... Figure 4 The existing technology shown can effectively reduce vFW resource consumption, thereby reducing the resource consumption of network deployment.

[0156] Optionally, the step of invoking the security controller to create a virtual firewall includes:

[0157] Send a second instruction message to the security controller to create a virtual firewall;

[0158] The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

[0159] In this embodiment of the invention, a virtual firewall is created collaboratively by a cloud management platform, a security controller, and a hardware firewall. The hardware firewall can be installed on a separate hardware device. During the collaborative creation of the virtual firewall, the cloud management platform, security controller, and hardware firewall are used to create the virtual virtual firewall object, while the hardware firewall is used to create the virtual firewall itself.

[0160] The cloud management platform creates a service vFW (object) and calls the security controller to create the corresponding vFW (object). The cloud management platform calls the security controller by sending a second instruction message, which instructs the security controller to create the vFW (object). Based on the second instruction message, the security controller generates relevant configuration information for creating the service vFW and sends the relevant configuration information to the hardware FW, thereby realizing the collaborative creation of the vFW.

[0161] Step 504: Invoke the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link;

[0162] The first logical link is the logical link connecting the first virtual router and the virtual firewall, and the second logical link is the logical link connecting the second virtual router and the virtual firewall.

[0163] In this embodiment of the invention, different vRouters (e.g., vRouter1 and vRouter2) can share the same vFW, that is, different VPCs share the vFW, which means that different vRouters establish logical links with the same vFW respectively, so that different vRouters can share the same vFW.

[0164] Optionally, interconnection interfaces can be created on both the vRouter and vFW to establish a logical link between them.

[0165] Optionally, the invocation of the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link includes:

[0166] Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected;

[0167] Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side;

[0168] Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side;

[0169] The first logical link is established based on the first interconnection interface and the third interconnection interface;

[0170] The second logical link is established based on the second interconnection interface and the fourth interconnection interface;

[0171] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0172] In this embodiment of the invention, the above-mentioned interconnection interface can be understood as a software-level interface.

[0173] The cloud platform orchestrates logical links 1 for interconnecting vRouter1 and vFW. The cloud management platform allocates network resources based on the DC-GW and FW interconnection network structure and operating model. The cloud platform, carrying the allocated IP addresses, VLANs, and other resources, calls the VIM / SDN controller to create the DC-GW-side interconnection interface and the security controller to create the hardware FW-side interconnection interface. Similarly, the cloud platform orchestrates logical links 2 for interconnecting vRouter2 and vFW. Again, the cloud management platform allocates network resources based on the DC-GW and FW interconnection network structure and operating model, and the cloud platform, carrying the allocated IP addresses, VLANs, and other resources, calls the VIM / SDN controller to create the DC-GW-side interconnection interface and the security controller to create the hardware FW-side interconnection interface.

[0174] Optionally, the step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the docking network resources includes:

[0175] Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller;

[0176] The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0177] The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes:

[0178] Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller;

[0179] The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0180] It is understood that, in this embodiment of the invention, the calling process is not limited to the above-described method of sending instructions, and existing VIM / SDN controller and security controller calling methods can be used.

[0181] In this embodiment of the invention, the process of calling the VIM and the SDN controller to create the first and second interconnection interfaces on the DC-GW side also involves the cloud management platform sending instruction information to the VIM and the SDN controller based on the network resources being connected, instructing the interconnection interface on the DC-GW side to be established, that is, instructing the interconnection interface between vRouter1 and vRouter2 to be established. The SDN controller generates configuration information for the interconnection interface creation based on the instruction information and sends this configuration information to the DC-GW to execute the interconnection interface creation. The cloud management platform, the VIM, the SDN controller, and the DC-GW collaboratively establish the first and second interconnection interfaces for creating the virtual router.

[0182] In this embodiment of the invention, the process of the security controller creating the third and fourth interconnect interfaces on the hardware firewall side is similar: the cloud management platform sends instruction information to the security controller based on the network resources being connected, instructing the hardware firewall to establish interconnect interfaces, that is, instructing the vFW to establish interconnect interfaces. The security controller then generates configuration information for interconnect interface creation based on the instruction information and sends this configuration information to the hardware firewall to execute the interconnect interface creation. The cloud management platform, the security controller, and the hardware firewall collaboratively establish and create the third and fourth interconnect interfaces for the vFW.

[0183] This invention can be specifically applied to the data service field, providing a mechanism for automated deployment of shared vFW across different VPCs. Specifically, it introduces a cloud management platform to collaborate with a VIM / SDN controller and a security controller for automated deployment.

[0184] For ease of understanding, the embodiments of the present invention provide the following examples of optional processes:

[0185] 1) Cloud platform management and maintenance of the physical topology and working mode of the hardware gateway (GW) and hardware firewall (FW) interfaces;

[0186] 2) The cloud platform creates business vRouter1 and vRouter2, and calls the VIM / SDN controller to create the corresponding vRouter;

[0187] 3) If two services have a need for secure mutual access, the cloud platform will continue to create a vFW and call the security controller to create the vFW;

[0188] 4) The cloud platform orchestrates the logical link 1 for interconnecting vRouter1 and vFW, allocates the interconnection network resources according to the DC-GW and FW interconnection network and working model, and calls the VIM / SDN controller to create the DC-GW side interconnection interface with the allocated IP, VLAN, etc., and calls the security controller to create the hardware FW side interconnection interface.

[0189] 5) The cloud platform orchestrates vRouter2 and vFW interconnection logical link 2, and the implementation method is the same as step 4.

[0190] The aforementioned cloud management platform is used for: maintaining the physical topology and working mode of the hardware GW and hardware FW; orchestrating service bypass models and security policies; managing IP and VLAN network resources of interconnected links; coordinating the deployment of VIM / SDN controllers and security controllers; specifically, it can orchestrate service bypass models and security policies; orchestrate different VPCs and north-south vRouters sharing vFWs, and coordinate with VIM / SDN controllers and security controllers to complete the automated deployment of GW and FW network interconnection.

[0191] The aforementioned SDN controller is used to: face the cloud management platform in the north, receive messages from the cloud platform to create vRouters and interconnect interfaces, and connect to the hardware GW in the south, converting them into hardware GW configurations for distribution, thereby enabling automatic deployment of network configurations on the DC-GW connecting to the FW side.

[0192] The aforementioned security controller is used to: face the cloud management platform from the north, receive messages from the cloud platform to create vFw and interconnect interfaces; and connect to the hardware FW from the south, converting them into hardware FW configurations for distribution, thereby enabling automated deployment of network configurations on the FW and the GW side.

[0193] This application proposes a technical solution for the automated deployment of shared vFW resources across different VPCs. By introducing a cloud platform to coordinate with the VIM / SDN controller and security controller, multiple vRouters can be associated with a single vFW deployment. In this way, a single vFW can be shared for the north-south exit of a UPF leased line in the edge cloud. In UPF traffic offloading scenarios, UPF VPCs and APP VPCs also share a single vFW. North-south internet access for the same tenant can also share a single vFW, saving vFW resource consumption, reducing hardware FW equipment specifications, and lowering costs. This satisfies the need for saving vFW resources and reducing hardware FW costs in the network edge cloud.

[0194] The network deployment method in this embodiment involves: acquiring a first service and a second service; invoking the Virtual Infrastructure Manager (VIM) and the Software Defined Network (SDN) controller to create a first virtual router and a second virtual router; if the first service and the second service require secure interaction, invoking the security controller to create a virtual firewall; and invoking the VIM, the SDN controller, and the security controller to establish a first logical link and a second logical link. The first virtual router corresponds to the first service, and the second virtual router corresponds to the second service. The first logical link is the logical link connecting the first virtual router and the virtual firewall, and the second logical link is the logical link connecting the second virtual router and the virtual firewall. In this embodiment, by having virtual routers for different services share a virtual firewall, the vFW resource consumption can be effectively reduced, thereby lowering network deployment costs.

[0195] See Figure 9 , Figure 9 This is a schematic diagram of the structure of a network deployment device provided in an embodiment of the present invention, such as... Figure 9 As shown, the network deployment device 900 includes:

[0196] Module 901 is used to acquire the first service and the second service.

[0197] The first calling module 902 is used to call the Virtual Infrastructure Manager (VIM) and the Software Defined Network (SDN) controller to create a first virtual router and a second virtual router.

[0198] The second calling module 903 is used to call the security controller to create a virtual firewall when the first service and the second service have a security interaction requirement.

[0199] The third invocation module 904 is used to invoke the VIM, the SDN controller and the security controller to establish the first logical link and the second logical link;

[0200] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0201] Optionally, the first calling module 902 includes:

[0202] The first instruction module is used to send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0203] The first configuration module is used by the SDN controller to generate first configuration information based on the first indication information.

[0204] The first sending module is used to send the first configuration information to the data center gateway DC-GW to create a first virtual router and a second virtual router.

[0205] Optionally, the second calling module 903 includes:

[0206] The second instruction module is used to send a second instruction message for creating a virtual firewall to the security controller;

[0207] The second configuration module is used by the security controller to generate second configuration information based on the second indication information.

[0208] The second sending module is used to send the second configuration information to the hardware firewall to create the virtual firewall.

[0209] Optionally, the third calling module 904 includes:

[0210] The resource allocation module is used to allocate and determine the network resources to be connected based on the network topology and working model of the data center gateway (DC-GW) and the hardware firewall.

[0211] The first invocation submodule is used to invoke the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the network resources being connected;

[0212] The second calling submodule is used to call the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources.

[0213] The first establishment module is used to establish the first logical link based on the first interconnection interface and the third interconnection interface;

[0214] The second establishment module is used to establish the second logical link based on the second interconnection interface and the fourth interconnection interface;

[0215] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0216] Optionally, the first calling submodule includes:

[0217] The third instruction module is used to send third instruction information for creating the first interconnection interface and the second interconnection interface to the VIM and the SDN controller according to the interconnection network resources.

[0218] The third configuration module is used by the SDN controller to generate third configuration information based on the third indication information.

[0219] The third sending module is used to send the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0220] The second calling submodule includes:

[0221] The fourth instruction module is used to send fourth instruction information for creating a third interconnection interface and a fourth interconnection interface to the security controller based on the network resources being connected;

[0222] The fourth instruction module is used by the security controller to generate fourth configuration information based on the fourth instruction information.

[0223] The fourth sending module is used to send the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0224] It should be noted that the network deployment device provided in this embodiment of the invention is an apparatus capable of executing the above-described network deployment method. Therefore, all implementation methods in the above-described network deployment method embodiments are applicable to this network deployment device and can achieve the same or similar beneficial effects. To avoid repetition, this embodiment will not elaborate further.

[0225] For details, see Figure 10 As shown, this embodiment of the invention also provides an electronic device, including a bus 1001, a transceiver 1002, an antenna 1003, a bus interface 1004, a processor 1005, and a memory 1006.

[0226] Processor 1005 is used to acquire the first and second services;

[0227] Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router;

[0228] If the first service and the second service have a security interaction requirement, call the security controller to create a virtual firewall;

[0229] The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link.

[0230] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0231] Optionally, the steps of obtaining the first service and the second service can also be performed by the transceiver 1002.

[0232] Optionally, the step of invoking the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first virtual router and the second virtual router includes:

[0233] Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0234] The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

[0235] Optionally, the step of invoking the security controller to create a virtual firewall includes:

[0236] Send a second instruction message to the security controller to create a virtual firewall;

[0237] The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

[0238] Optionally, the invocation of the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link includes:

[0239] Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected;

[0240] Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side;

[0241] Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side;

[0242] The first logical link is established based on the first interconnection interface and the third interconnection interface;

[0243] The second logical link is established based on the second interconnection interface and the fourth interconnection interface;

[0244] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0245] Optionally, the step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the docking network resources includes:

[0246] Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller;

[0247] The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0248] The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes:

[0249] Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller;

[0250] The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0251] exist Figure 10 In this document, a bus architecture (represented by bus 1001) is used. Bus 1001 may include any number of interconnected buses and bridges, linking various circuits including one or more processors represented by processor 1005 and memory represented by memory 1006. Bus 1001 may also link various other circuits such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. Bus interface 1004 provides an interface between bus 1001 and transceiver 1002. Transceiver 1002 may be a single element or multiple elements, such as multiple receivers and transmitters, providing a unit for communicating with various other devices over a transmission medium. Data processed by processor 1005 is transmitted over a wireless medium via antenna 1003, which further receives data and transmits it to processor 1005.

[0252] Processor 1005 is responsible for managing bus 1001 and general processing, and can also provide various functions, including timing, peripheral interface, voltage regulation, power management, and other control functions. Memory 1006 can be used to store data used by processor 1005 during operation.

[0253] Optionally, the processor 1005 can be a CPU, ASIC, FPGA, or CPLD.

[0254] It should be noted that the electronic device provided in this embodiment of the invention is a device capable of executing the above-described network deployment method. Therefore, all implementation methods in the above-described network deployment method embodiments are applicable to this electronic device and can achieve the same or similar beneficial effects. To avoid repetition, this embodiment will not elaborate further.

[0255] This invention also provides a server, including a cloud management platform, a Virtual Infrastructure Manager (VIM), a Software-Defined Networking (SDN) controller, and a security controller;

[0256] The cloud management platform is used for:

[0257] Acquire first and second business services;

[0258] Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router;

[0259] When the first service and the second service have a security interaction requirement, the security controller is invoked to create a virtual firewall;

[0260] The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link.

[0261] Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall.

[0262] Optionally, the step of invoking the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create the first virtual router and the second virtual router includes:

[0263] Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller;

[0264] The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

[0265] Optionally, the step of invoking the security controller to create a virtual firewall includes:

[0266] Send a second instruction message to the security controller to create a virtual firewall;

[0267] The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

[0268] Optionally, the invocation of the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link includes:

[0269] Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected;

[0270] Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side;

[0271] Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side;

[0272] The first logical link is established based on the first interconnection interface and the third interconnection interface;

[0273] The second logical link is established based on the second interconnection interface and the fourth interconnection interface;

[0274] Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

[0275] Optionally, the step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the docking network resources includes:

[0276] Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller;

[0277] The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface;

[0278] The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes:

[0279] Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller;

[0280] The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

[0281] It should be noted that the server provided in this embodiment of the invention is an apparatus capable of executing the above-described network deployment method. Therefore, all implementation methods in the above-described network deployment method embodiments are applicable to this server and can achieve the same or similar beneficial effects. To avoid repetition, this embodiment will not elaborate further.

[0282] This invention also provides an electronic device, including: a processor, a memory, and a program stored in the memory and executable on the processor. When the program is executed by the processor, it implements the various processes of the above-described network deployment method embodiments and achieves the same technical effects. To avoid repetition, it will not be described again here.

[0283] This invention also provides a computer-readable storage medium storing a computer program. When executed by a processor, this computer program implements the various processes of the network deployment method embodiments described above and achieves the same technical effects. To avoid repetition, it will not be described again here. The computer-readable storage medium may be a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, etc.

[0284] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.

[0285] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk), and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the various embodiments of the present invention.

[0286] The embodiments of the present invention have been described above with reference to the accompanying drawings. However, the present invention is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of the present invention without departing from the spirit and scope of the claims, and all of these forms are within the protection scope of the present invention.

Claims

1. A network deployment method, characterized by, The method includes: The cloud management platform acquires primary and secondary business data. The cloud management platform calls the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create a first virtual router and a second virtual router. When the first service and the second service have a need for secure interaction, the cloud management platform calls the security controller to create a virtual firewall for the mutual access process between the first service and the second service. The cloud management platform invokes the VIM, the SDN controller, and the security controller to establish a first logical link and a second logical link; Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall; The cloud management platform invokes the VIM, the SDN controller, and the security controller to establish a first logical link and a second logical link, including: The cloud management platform determines the network resources to be connected based on the network topology and working model of the data center gateway (DC-GW) and the hardware firewall. Based on the network resources being connected, the cloud management platform calls the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side; Based on the network resources being connected, the cloud management platform calls the security controller to create the third and fourth interconnect interfaces on the hardware firewall side; The cloud management platform establishes the first logical link based on the first interconnection interface and the third interconnection interface; The cloud management platform establishes the second logical link based on the second interconnection interface and the fourth interconnection interface; Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

2. The method according to claim 1, characterized in that, The process of calling the Virtual Infrastructure Manager (VIM) and the Software-Defined Networking (SDN) controller to create a first virtual router and a second virtual router includes: Send first instruction information for creating a first virtual router and a second virtual router to the VIM and the SDN controller; The SDN controller generates first configuration information based on the first indication information and sends the first configuration information to the data center gateway (DC-GW) to create a first virtual router and a second virtual router.

3. The method according to claim 1, characterized in that, The step of calling the security controller to create a virtual firewall includes: Send a second instruction message to the security controller to create a virtual firewall; The security controller generates second configuration information based on the second instruction information and sends the second configuration information to the hardware firewall to create the virtual firewall.

4. The method of claim 1, wherein, The step of calling the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the interconnection network resources includes: Based on the network resources being connected, a third instruction message for creating a first interconnect interface and a second interconnect interface is sent to the VIM and the SDN controller; The SDN controller generates third configuration information based on the third indication information and sends the third configuration information to the data center gateway DC-GW to create the first interconnection interface and the second interconnection interface; The step of calling the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources includes: Based on the network resources being connected, a fourth instruction message for creating a third interconnect interface and a fourth interconnect interface is sent to the security controller; The security controller generates fourth configuration information based on the fourth indication information and sends the fourth configuration information to the hardware firewall to create the third interconnection interface and the fourth interconnection interface.

5. A network deployment device applied to a cloud management platform, characterized in that, include: The acquisition module is used to acquire the first and second services; The first calling module is used to call the Virtual Infrastructure Manager (VIM) and the Software Defined Network (SDN) controller to create the first virtual router and the second virtual router. The second calling module is used to call the security controller to create a virtual firewall for the mutual access process of the first service and the second service when there is a security interaction requirement between the first service and the second service. The third invocation module is used to invoke the VIM, the SDN controller, and the security controller to establish the first logical link and the second logical link. Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall; The third calling module includes: The resource allocation module is used to allocate and determine the network resources to be connected based on the network topology and working model of the data center gateway (DC-GW) and the hardware firewall. The first invocation submodule is used to invoke the VIM and the SDN controller to create the first interconnection interface and the second interconnection interface on the DC-GW side according to the network resources being connected; The second calling submodule is used to call the security controller to create the third and fourth interconnect interfaces on the hardware firewall side based on the connected network resources. The first establishment module is used to establish the first logical link based on the first interconnection interface and the third interconnection interface; The second establishment module is used to establish the second logical link based on the second interconnection interface and the fourth interconnection interface; Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

6. An electronic device applied to a cloud management platform, characterized in that, Including processors, The processor is used to acquire the first service and the second service; Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router; When the first service and the second service have a security interaction requirement, the security controller is invoked to create a virtual firewall for the mutual access process between the first service and the second service. The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link. Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall; The invocation of the VIM, the SDN controller, and the security controller to establish a first logical link and a second logical link includes: Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected; Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side; Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side; The first logical link is established based on the first interconnection interface and the third interconnection interface; The second logical link is established based on the second interconnection interface and the fourth interconnection interface; Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

7. A server, characterized by This includes a cloud management platform, a Virtual Infrastructure Manager (VIM), a Software-Defined Networking (SDN) controller, and a security controller; The cloud management platform is used for: Acquire first and second business services; Invoke the Virtual Infrastructure Manager (VIM) and the Software Defined Networking (SDN) controller to create a first virtual router and a second virtual router; When the first service and the second service have a security interaction requirement, the security controller is invoked to create a virtual firewall for the mutual access process between the first service and the second service. The VIM, the SDN controller, and the security controller are invoked to establish a first logical link and a second logical link. Wherein, the first virtual router is a virtual router corresponding to the first service, and the second virtual router is a virtual router corresponding to the second service; the first logical link is a logical link connecting the first virtual router and the virtual firewall, and the second logical link is a logical link connecting the second virtual router and the virtual firewall; The invocation of the VIM, the SDN controller, and the security controller to establish a first logical link and a second logical link includes: Based on the network topology and working model allocation of the data center gateway (DC-GW) and hardware firewall, determine the network resources to be connected; Based on the network resources being connected, the VIM and the SDN controller are invoked to create the first interconnection interface and the second interconnection interface on the DC-GW side; Based on the network resources being connected, the security controller is invoked to create the third and fourth interconnect interfaces on the hardware firewall side; The first logical link is established based on the first interconnection interface and the third interconnection interface; The second logical link is established based on the second interconnection interface and the fourth interconnection interface; Wherein, the first interconnection interface is the interconnection interface of the first virtual router, the second interconnection interface is the interconnection interface of the second virtual router, and the third and fourth interconnection interfaces are the interconnection interfaces of the virtual firewall.

8. An electronic device, comprising: include: A processor, a memory, and a program stored in the memory and executable on the processor, wherein the program, when executed by the processor, implements the steps of the network deployment method as described in any one of claims 1 to 4.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the network deployment method as described in any one of claims 1 to 4.

Images