An access control system, method, device, computer program product, and storage medium

By deploying a firewall engine outside the virtual private network and using forwarding components for access control, the high cost problem caused by deploying a firewall engine inside the virtual private network is solved, and centralized management and security improvement of cloud resource access are achieved.

CN122179119APending Publication Date: 2026-06-09ALIBABA CLOUD COMPUTING CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ALIBABA CLOUD COMPUTING CO LTD
Filing Date
2024-12-06
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

The high cost of deploying firewall engines within each virtual private network is a problem that current technologies cannot effectively reduce.

Method used

Firewall engines are deployed outside multiple virtual private networks (VPNs) of the target customers, and forwarding components are deployed in each VPN. The firewall engines centrally manage cloud resource access requests through the forwarding components and use the forwarding components for access control.

Benefits of technology

By centrally managing cloud resource access requests, the need to deploy firewall engines within each virtual private network is reduced, thereby effectively saving on firewall engine usage costs while improving cloud resource security and access control efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179119A_ABST
    Figure CN122179119A_ABST
Patent Text Reader

Abstract

The present disclosure provides an access control system, method, device, computer program product and storage medium. A virtual private network to be controlled and a forwarding component to be interconnected in different virtual private networks are set in any firewall engine, and an access rule that is prohibited from being tampered with is set in any forwarding component; in this way, the firewall engine can interconnect with different virtual private networks through the forwarding component, and control access to cloud resource access requests by means of the access rule set in the forwarding component. Accordingly, based on the access control system proposed in the present embodiment, in the case of needing to control access to multiple virtual private networks, the cloud resource access requests can be centrally controlled by the firewall engine deployed outside the multiple virtual private networks, without the need to deploy a firewall engine in each virtual private network, thereby effectively saving the use cost of the firewall engine.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of cloud computing technology, and more specifically, to an access control system, method, apparatus, computer program product, and storage medium. Background Technology

[0002] A Virtual Private Cloud (VPC) is a private network created by a target customer. Each target customer will create multiple VPCs, and the target customer can access cloud resources in each VPC.

[0003] Currently, customers typically deploy firewall engines within virtual private networks (VPNs). Since firewall engines can only access cloud resources within their own VPN, customers need to deploy firewall engines in each VPN to support normal access to cloud resources. This results in excessively high costs for customers to use firewall engines. Summary of the Invention

[0004] This embodiment provides an access control system, method, apparatus, computer program product, and storage medium to reduce the cost of using firewall engines.

[0005] This embodiment provides an access control system, including at least one firewall engine deployed for a target customer. The at least one firewall engine is deployed outside of multiple virtual private networks corresponding to the target customer. Each firewall engine is communicatively connected to the virtual private network it needs to manage, and a forwarding component that communicates with the firewall engine is deployed in the virtual private network it needs to manage.

[0006] The firewall engine is configured to, in response to receiving a cloud resource access request for the target customer, select a target virtual private network (VPN) from the VPNs to be managed that is compatible with the cloud resource access request; and forward the cloud resource access request to a forwarding component in the target VPN.

[0007] The forwarding component in the target virtual private network is used to perform access control on the cloud resource access requests according to the set access rules.

[0008] This embodiment provides an access control method applicable to any firewall engine deployed for a target customer. The firewall engine is deployed outside of multiple virtual private networks (VPNs) corresponding to the target customer. The firewall engine is communicatively connected to the VPNs it needs to manage, and a forwarding component that interoperates with the firewall engine is deployed in the VPNs it needs to manage. The method includes:

[0009] In response to receiving a cloud resource access request for the target customer;

[0010] Select the target virtual private network (VPN) that is compatible with the cloud resource access request from the VPNs that need to be managed;

[0011] The cloud resource access request is forwarded to the forwarding component in the target virtual private network, so that the cloud resource access request can be controlled by the forwarding component in the target virtual private network in accordance with the set access rules.

[0012] This embodiment provides an access control method applicable to forwarding components deployed in any virtual private network (VPN) corresponding to a target customer. In addition to multiple VPNs corresponding to the target customer, at least one firewall engine is deployed for the target customer. Each firewall engine communicates with the forwarding components within the VPN it needs to manage. The method includes:

[0013] Receive cloud resource access requests;

[0014] If the cloud resource access request is forwarded by a firewall engine that has interconnected with the forwarding component, then access control for the cloud resource access request is performed in the virtual private network in accordance with the set access rules.

[0015] This embodiment also provides a computing device, including a memory and a processor;

[0016] The memory is used to store one or more computer instructions;

[0017] The processor is coupled to the memory and is used to execute one or more computer instructions for performing the aforementioned access control method.

[0018] This embodiment also provides a computer-readable storage medium that, when the computer instructions are executed by one or more processors, causes the one or more processors to perform the aforementioned access control method.

[0019] This embodiment also provides a computer program product, including a computer program, wherein when the computer program is executed by a processor, the processor performs the aforementioned access control method.

[0020] In this embodiment, upon receiving a cloud resource access request from a target customer, the firewall engine selects a target virtual private network (VPN) from the VPNs to be managed that matches the cloud resource access request. The firewall engine forwards the cloud resource access request to a forwarding component within the target VPN. The forwarding component within the target VPN then performs access control on the cloud resource access request according to predefined access rules. Therefore, when access control of cloud resource access requests for multiple VPNs of a target customer is required, centralized management of cloud resource access requests can be achieved by deploying a firewall engine outside of each VPN, eliminating the need to deploy a firewall engine within each VPN. This effectively saves the target customer's firewall engine usage costs. Attached Figure Description

[0021] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0022] Figure 1 A schematic diagram of the structure of an access control system provided in an exemplary embodiment of this application;

[0023] Figure 2 A schematic diagram illustrating an optional implementation logic of an access control system provided for an exemplary embodiment of this application;

[0024] Figure 3 A schematic diagram of a single tunnel technology provided for an exemplary embodiment of this application;

[0025] Figure 4 A flowchart illustrating an access control method provided for an exemplary embodiment of this application;

[0026] Figure 5 A flowchart illustrating an access control method provided for another exemplary embodiment of this application;

[0027] Figure 6 A schematic diagram of the structure of a computing device is provided as another exemplary embodiment of this application;

[0028] Figure 7 This is a schematic diagram of the structure of a computer program product provided as another exemplary embodiment of this application. Detailed Implementation

[0029] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below in conjunction with specific embodiments and corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. Based on the embodiments in this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0030] Before proceeding with a detailed description of the technical solutions provided in the various embodiments of this application, the following is a brief explanation of several technical concepts involved in this application.

[0031] A Virtual Private Network (VPN) can be understood as a custom-built virtual network environment. It is a single-tenant network architecture where different VPNs are isolated from each other. Customers can create multiple VPNs and manage them, such as selecting IP address ranges, configuring routing tables and gateways. Customers can also access various cloud resources within the VPN, such as Elastic Compute Service (ECS), Relational Database Service (RDS), and Server Load Balancer (SLB).

[0032] A firewall engine can be understood as a malicious traffic detection engine for a cloud platform. It is used to filter access traffic to websites or applications based on malicious characteristics, and then return the filtered safe traffic to the cloud platform to prevent the cloud platform from being maliciously attacked and causing performance abnormalities. This protects the core data within the cloud platform and ensures the stable operation of access traffic.

[0033] Cloud resources can be understood as various computing, storage, network, or software resources provided to customers for their use. Customers can rent, configure, or use these resources according to their needs. This embodiment does not limit the type of cloud resources; the type of cloud resources varies depending on the customer's needs. For example, if a customer needs to deploy cloud services on the cloud, the cloud resource can be an Elastic Compute Service (ECS); if a customer needs to distribute network traffic among multiple cloud servers, the cloud resource can be a Server Load Balancer (SLB). Further examples of cloud resource types are not provided here.

[0034] As described in the background section, in traditional firewall solutions, customers typically deploy firewall engines within virtual private networks (VPNs). Since firewall engines can only access cloud resources within their own VPNs, customers need to deploy firewall engines in each VPN to support normal access to these resources. This results in excessively high costs for customers using firewall engines.

[0035] Therefore, this embodiment proposes an access control system in the hope of saving customers the cost of using firewall engines.

[0036] The embodiments of this application will be described in detail below with reference to the accompanying drawings.

[0037] Figure 1 A schematic diagram of an access control system provided as an exemplary embodiment of this application is shown below. Figure 1 The system includes a firewall engine deployed for the target customer and forwarding components for different virtual private networks. The target virtual private network is a virtual private network adapted to the cloud resource access requests of the target customer. The forwarding components are used for the firewall engine to communicate with different virtual private networks.

[0038] In this embodiment, the type of firewall engine is not limited. The type of firewall engine is adaptable to different transmission methods of access traffic. For example, if the access traffic is network traffic based on HTTP or HTTPS protocols, then the firewall engine in this embodiment can be a Web Application Firewall (WAF); if the access traffic is network traffic sent by the database via TCP ports, then the firewall engine in this embodiment can be a cloud firewall based on a cloud platform (Software as a Service, SaaS). Further examples are not provided here.

[0039] This embodiment proposes improvements to the system architecture and the interaction process within the system.

[0040] In terms of system architecture, this embodiment proposes creating one or more firewall engines for the target customer, and deploying these firewall engines outside the target customer's corresponding VPN. For the target customer, the corresponding VPN can be one or more. This is completely different from the deployment location of firewall engines in traditional firewall solutions. The target customer can be any customer that needs to use firewall technology to control access requests to cloud resources.

[0041] In this embodiment, one or more firewall engines deployed for the target customer can form a firewall system. The firewall engines within the firewall system can work together to serve the target customer and help the target customer manage the access traffic flowing to its virtual private network.

[0042] Therefore, cloud resource access requests initiated by target customers across multiple virtual private networks (VPNs) will be centrally managed by the firewall system in this embodiment. The firewall system can redirect cloud resource access requests back to any VPN of the target customer as needed, thereby supporting cross-VPN access control even when the target customer has multiple VPNs.

[0043] In this embodiment, an exemplary routing scheme within the firewall system can be: pre-assigning source network addresses to each firewall engine within the firewall system; based on this, after a cloud resource access request arrives at the firewall system, the cloud resource access request can be routed to the appropriate firewall engine according to the source network address of the cloud resource access request. An optional implementation method is to configure routing rules for firewall engines within the firewall system; further examples are not provided here.

[0044] In this embodiment, the deployment location of the firewall system is not limited. Optionally, the firewall system in this embodiment can be deployed in a virtual private network (VPN). It is worth emphasizing that this VPN is located outside of the multiple VPNs used by the target customer for deploying cloud resources.

[0045] Figure 2 This is a schematic diagram illustrating an optional implementation logic of an access control system provided for an exemplary embodiment of this application. (Reference) Figure 2 Preferably, the firewall system can also be deployed in the control plane. Multiple virtual private networks (VPNs) corresponding to the target customers are deployed in the customer plane, with network isolation between the control plane and the customer plane. The customer plane can be understood as the network area that the target customer can directly access and manage. The target customer can create various cloud resources in the customer plane, such as computing, storage, network, and software resources. The control plane can be understood as the network area within the cloud vendor used to manage and control cloud resources. The control plane is typically not directly exposed to the target customer but is network isolated from the customer plane. In this embodiment, appropriate network communication technologies can be used to support interoperability between the firewall engine in the control plane and the forwarding components in the VPNs within the customer plane.

[0046] In this way, the firewall system is deployed within the controlled zone, which has a higher level of attack protection. Only a very small number of authorized personnel can know the access path of the firewall engine. Therefore, with this deployment method, the firewall engine is usually not vulnerable to attack. This can effectively prevent the firewall engine from becoming a breakthrough point when attacking cloud resources, thereby improving the security of cloud resources.

[0047] The system architecture in this application embodiment will be further described from the perspective of any firewall engine.

[0048] This embodiment proposes that the firewall engine can be configured to manage the desired virtual private networks (VPNs). A single firewall engine can manage one or more VPNs. It also supports configuring forwarding components within the firewall engine that enable communication between different managed VPNs.

[0049] Based on this, the firewall engine can establish a control relationship with the configured VPN, as well as interoperability with forwarding components within different managed VPNs. (Reference) Figure 1 After establishing the aforementioned control and communication relationships, the system architecture of the access control system illustrated in this embodiment can be realized:

[0050] A firewall engine manages one or more virtual private networks (VPNs) and communicates with the forwarding components within each VPN it manages.

[0051] In this embodiment, the forwarding component can be created primarily by the firewall engine, or it can be created in other ways; there is no limitation on this. Examples will be provided later, and details will not be elaborated upon here.

[0052] Continue to refer to Figure 1 Next, shifting the focus to the forwarding component within a single virtual private network (VPN), this embodiment uses the forwarding component to perform access control on cloud resources within its VPN. The forwarding component can forward cloud resource access requests from interconnected firewall engines to appropriate target cloud resources.

[0053] Based on the system architecture described above, the interaction process within the system in this embodiment will be further explained. The interaction process will be described from the perspective of a cloud resource access request.

[0054] After the cloud resource access request reaches the firewall system in this embodiment, it can be redirected to a specific firewall engine according to the traffic redirection scheme described above. The interaction process will be explained from the perspective of a firewall engine.

[0055] For this firewall engine, in response to receiving a cloud resource access request for a target customer, it can select a target virtual private network (VPN) from the VPNs that need to be managed that is compatible with the cloud resource access request.

[0056] In this embodiment, distribution rules at the virtual private network (VPN) level can be pre-configured in the firewall engine. Based on this, upon receiving a cloud resource access request, the firewall engine can select the appropriate target VPN based on the distribution rules. One exemplary distribution rule can pre-define the range of source network addresses that different VPNs are responsible for. This allows the firewall engine to find the VPN responsible for the source network address in the cloud resource access request and designate it as the target VPN. Another exemplary distribution rule can pre-define the user identifier that different VPNs are responsible for. The user identifier is used to distinguish the initiator of the cloud resource access request. This allows the firewall engine to find the VPN responsible for the user identifier in the cloud resource access request and designate it as the target VPN. Further examples of the implementation method for selecting the target VPN are not provided here.

[0057] Of course, besides the operation of selecting the target virtual private network mentioned in this embodiment, the firewall engine in this embodiment may also include other processing logic. For example, for any firewall engine, this embodiment proposes an optional implementation: to ensure the security of cloud resources in the virtual private network, the firewall engine will perform malicious identification on cloud resource access requests to ensure that cloud resource access requests sent to the cloud resources are secure requests. Here, the firewall engine can preset interception rules for cloud resource access requests, such as detecting whether the source network address and destination network address of the cloud resource access request are malicious addresses; detecting whether the request frequency of the source network address of the cloud resource access request is a normal request frequency. In addition, the firewall engine can also perform malicious feature identification on the request content of the cloud resource access request based on a malicious feature database. The malicious feature database contains known feature patterns of various network attacks, such as the data format or communication pattern of malicious traffic. When a cloud resource access request hits the above-mentioned interception rules or matches the malicious features in the malicious feature database, the firewall engine intercepts the cloud resource access request.

[0058] Continue to refer to Figure 1 For firewall engines, once the target VPN is identified, cloud resource access requests can be forwarded to the forwarding component within the target VPN.

[0059] In the access system proposed in this embodiment, forwarding components are deployed in all virtual private networks (VPNs) managed by the firewall engine and are interconnected with the firewall engine. Based on this interconnection, the firewall engine can forward cloud resource access requests to the forwarding components. The forwarding components receive cloud resource access requests forwarded by the firewall engine and further forward them to the cloud resources. In this embodiment, the implementation form of the forwarding components is not limited; various forms of forwarding components are supported, and appropriate forms of forwarding components can be selected as needed for different VPNs. Therefore, this embodiment supports configuring the required implementation form of the forwarding components for different VPNs within the firewall engine. Exemplary implementation forms of the forwarding components will be described later and will not be detailed here.

[0060] Continue to refer to Figure 1 Based on the access control system proposed in this embodiment, the forwarding component is configured with access rules, and the forwarding component can perform access control on cloud resource access requests according to the configured access rules.

[0061] In this embodiment, access rules are used to filter out requests for which the user does not have access rights to cloud resources within the virtual private network. Since different types of forwarding components have different access rules, the methods for controlling access to cloud resources according to these rules also differ. Here, we do not limit the method of access control based on access rules; several alternative implementation methods for access control will be proposed later.

[0062] In this embodiment, the method for creating access rules set within the forwarding component is not limited; access rules can be created according to the usage scenario of the forwarding component. Several exemplary schemes for creating access rules will be provided later.

[0063] Optionally, it can be supported to configure access rules in the firewall engine and apply them to the forwarding components. In this way, the firewall engine can serve as a unified configuration entry point. Target clients can execute configurations in the firewall engine, which will automatically take effect in the forwarding components within each virtual private network, eliminating the need to configure them in the forwarding components within the virtual private network. This effectively improves configuration convenience.

[0064] As mentioned above, the firewall engine performs malicious identification on cloud resource access requests to identify secure requests within them and forwards these secure requests to the cloud resources within the VPN. This is equivalent to filtering cloud resource access requests on the VPN side of the firewall system. In this embodiment, the forwarding component performs access control on cloud resource access requests according to the set access rules, which is equivalent to filtering cloud resource access requests again on the client's VPN side. Through this processing method, a second filtering of cloud resource access requests is achieved, ensuring that cloud resource access requests entering the cloud resources are secure and valid, thereby improving the security of cloud resources within the VPN.

[0065] In summary, as described above, in this embodiment, the firewall engine, upon receiving a cloud resource access request from a target customer, selects a target virtual private network (VPN) from the VPNs to be managed that matches the cloud resource access request. The firewall engine then forwards the cloud resource access request to a forwarding component within the target VPN. The forwarding component within the target VPN then performs access control on the cloud resource access request according to pre-defined access rules. Therefore, when access control of cloud resource access requests for multiple VPNs of a target customer is required, centralized management of these requests can be achieved by deploying a firewall engine outside of each VPN, eliminating the need to deploy a firewall engine within each VPN. This effectively saves the target customer's firewall engine usage costs.

[0066] In the above or below embodiments, the firewall engine may also respond to a configuration operation by triggering the creation of a forwarding component in any virtual private network that needs to be managed; wherein any forwarding component contains access rules that prohibit tampering.

[0067] It is worth emphasizing that, in this embodiment, the access rules within the forwarding component are tamper-proof. That is, once the access rules within the forwarding component are in effect, various attack methods cannot tamper with them. This effectively ensures the security of the access rules. Therefore, it guarantees that the forwarding component introduced in this embodiment will not cause security issues during access control based on the firewall engine. The security of the forwarding component itself can be combined with the security of the firewall engine itself mentioned above, achieving dual security protection, thereby further ensuring the security of the access control process based on the firewall engine.

[0068] Therefore, in this embodiment, since the forwarding component deployed in the virtual private network has access rules that prevent tampering, the security of the access control process can be effectively guaranteed while saving the cost of the firewall engine, and security problems will not be caused by cost savings. The forwarding component in this embodiment can be created through various implementation methods, and no limitation is made. Examples will be provided later, and detailed descriptions will not be elaborated here.

[0069] In this embodiment, forwarding components with various implementation forms can be provided, including but not limited to access control components and address translation nodes.

[0070] The access control component is a management component used to control access to cloud resources. In this embodiment, the specific access control technology employed by the access control component is not limited. Preferably, the access control component may employ security group technology to implement access control. Here, security group technology can be understood as a virtual firewall with stateful inspection and packet filtering capabilities, used to divide security domains in the cloud and control inbound and outbound traffic to cloud resources. Therefore, a security group component can be deployed in the virtual private network as needed, serving as the access control component in this embodiment.

[0071] In this context, the address translation node can be understood as a type of NAT (Network Address Translation Gateway) used to provide network address translation services. In this embodiment, the address translation node is used to translate the network addresses of various cloud resources into public IP addresses, so that they can access the public network through the same public IP address. This way, the translated public IP address is exposed to the public network, thereby hiding the network addresses of each cloud resource.

[0072] In this embodiment, it is supported to set the implementation form of the selected forwarding component in the firewall engine for different virtual private networks that need to be managed.

[0073] One optional configuration method proposes that one or more critical virtual private networks (VPNs) can be associated with the firewall engine within a specified range, and the implementation of the forwarding component within the critical VPN can be set as an access control component. Here, the specified range can be determined based on the limited number of elastic network interfaces (ENIs) supported by the firewall engine. An ENI can be understood as a virtual network interface that provides network interfaces and network addresses for cloud resources within a VPN. Each cloud resource can be attached with one or more ENIs to meet network requirements in different use cases. However, since the number of ENIs that can be bound to a cloud resource is limited, the number of ENIs supported by a firewall engine is also limited. Of course, the specified range can also be determined based on other factors, and is not limited to the limited number of ENIs.

[0074] In the optional design approach, it is further proposed that for virtual private networks exceeding the specified number range, the implementation of the forwarding component within the excess virtual private networks can be set as an address translation node in the firewall engine.

[0075] Of course, the above configuration method is only optional, and this embodiment is not limited to it. For example, all forwarding components within the virtual private network can also be implemented as address translation nodes, but no further examples will be given here.

[0076] Next, based on the several exemplary forwarding components provided above, the system architecture in this embodiment will be described in an exemplary manner.

[0077] Access control components:

[0078] Based on the selection of an access control component as the implementation mode, this embodiment provides an optional implementation method for creating an access control component in a virtual private network.

[0079] In this optional implementation, if the forwarding component configured for any virtual private network (VPN) to be managed is an access control component, the firewall engine can trigger the creation of an access control component in the VPN even if no access control component has been created in the VPN. The access control scope of the access control component is the cloud resources within the VPN. The access control component contains filtering rules that cannot be tampered with, and the filtering rules include the allowed source network addresses, which are the network addresses of the initiators of the cloud resource access requests.

[0080] In this optional implementation, an access control component can be created by triggering the firewall engine, and the access control scope that the access control component can manage can be set. The access control scope is used to determine the cloud resources within the virtual private network that the access control component can manage.

[0081] In this optional implementation, the firewall engine can employ various triggering schemes to trigger the creation of access control components and the setting of filtering rules. An exemplary triggering scheme is provided below.

[0082] This exemplary triggering scheme proposes that, when the forwarding component configured for any VPN requiring management is an access control component, the firewall engine can send an access control component creation request for the VPN to the access control component management system. The access control component creation request may contain the source network address that the VPN needs to manage. The access control component management system can be used to create access control components in the VPN; collect the network addresses of each cloud resource in the VPN as destination network addresses; and establish routing relationships between the source network addresses contained in the access control component creation request and the collected destination network addresses as filtering rules within the access control component.

[0083] It is understandable that the access control component management system does not actively create access control components. In this exemplary triggering scheme, the access control component management system can be triggered to perform the operation of creating the access control component by sending an access control component creation request through the firewall engine. Of course, a communication protocol between the firewall engine and the access control component management system can also be designed as needed, and the firewall engine can trigger the access control component management system to perform the access control component creation operation by following the designed communication protocol.

[0084] In this exemplary triggering method, the access control component management system can determine the network address of the virtual private network (VPN) that the access control component is responsible for, based on the source network address in the access control component creation request. In practical applications, when creating an access control component, the access control component management system can configure basic information about the access control component, including but not limited to the access control component name, filtering rules, the VPN it belongs to, and select the management mode of the access control component (e.g., when the access control component is a security group, a managed security group can be selected) to adapt to different use cases. The filtering rules are configured based on the source network address that the VPN where the access control component resides, as indicated by the firewall engine.

[0085] As mentioned earlier, the access control component is deployed within a virtual private network (VPN) in the client area to manage cloud resources within that VPN. Since various cloud resources can be deployed in different VPNs, the access control component can also manage multiple cloud resources. To this end, the access control component management system collects the network addresses of each cloud resource in the VPN as destination network addresses, ensuring that the access control component can accurately locate the cloud resource to be managed based on the destination network address.

[0086] As described above, the access control component (ACC) management system can automatically configure filtering rules within the ACC based on the source and destination network addresses. Therefore, after introducing ACC as a forwarding component into a virtual private network (VPN), target clients do not need to manually configure the filtering rules within the ACC. Instead, they can achieve automatic configuration of the ACC filtering rules through a simple configuration within the firewall engine (setting the aforementioned source network address). This not only reduces the manual configuration cost for target clients but also effectively avoids configuration errors that often occur during manual configuration. Furthermore, the ACC possesses an immutable attribute, thus ensuring that the filtering rules within the ACC are protected from tampering. Even if the ACC is attacked, attackers cannot modify the filtering rules, effectively guaranteeing the security of the filtering rules.

[0087] Therefore, when the forwarding component is an access control component, the firewall engine can accurately control access requests to cloud resources by using the filtering rules set within the aforementioned access control component. Moreover, the filtering rules are immutable, which can effectively reduce the risk exposure surface of the access control component, thereby ensuring the security of cloud resources and reducing the risk of cloud resources being exposed.

[0088] Depending on the usage scenario, the management mode of the access control component varies. For example, when frequent updates to the filtering rules within the access control component are required, a managed access control component can be selected (i.e., as mentioned earlier, when the access control component is a security group, a managed security group can be selected, thereby leveraging the automatic update capability of the managed security group to update the filtering rules in a timely manner). This embodiment will not provide further examples of the management modes of the access control component.

[0089] As mentioned earlier, the access control component also has filtering rules that prevent tampering. These filtering rules can be understood as the access rules in the forwarding component mentioned above.

[0090] Therefore, when the forwarding component configured in the VPN is an access control component, the firewall engine can trigger the creation of the access control component in the VPN using the methods described above. Since the access control component contains filtering rules that prevent tampering, even if the access control component is attacked, the access control process will not be affected, thus effectively reducing the risk of cloud resource leakage.

[0091] Address translation node:

[0092] Based on the determination that the implementation form is an address translation node, this embodiment provides an optional implementation method for creating an address translation node.

[0093] In this optional implementation, the firewall engine responds to the configuration operation by creating an address translation node in the virtual private network if the forwarding component configured for any virtual private network to be managed is an address translation node. The address translation node is bound to the target cloud resource in the virtual private network. The address translation node is configured with the target network address that is allowed to trigger the address translation operation and is prohibited from being tampered with.

[0094] It is worth emphasizing that in this embodiment, the address translation node is bound to the target cloud resource in the virtual private network (see reference). Figure 2 As shown, the address translation node is bound to cloud resource B-1. The address translation node does not depend on the elastic network interface device and will not occupy the customer's network address pool. Therefore, by using the address translation node configuration method, it will not be limited by the number of elastic network interface devices on the firewall engine.

[0095] Since the address translation node is directly connected to the firewall engine, it's necessary to determine which firewall engine can access the target cloud resource bound to the address translation node. To do this, when triggering the creation of the address translation node, the target network address allowed to trigger address translation operations can be set; this is the access rule for the forwarding component mentioned earlier. The target network address can be understood as the firewall engine's public IP address, which is carried when the firewall engine forwards a cloud resource access request to the address translation node.

[0096] In this optional implementation, the firewall engine can employ various triggering schemes to trigger the creation of an address translation node. One exemplary triggering scheme involves the firewall engine sending a channel establishment request to the network management system for the virtual private network (VPN), thereby triggering the network management system to create an address translation node within the VPN. The network management system can be a management system provided by the target customer or a cloud vendor, capable of establishing communication channels across VPNs; the system name is not limited here. The channel establishment request may include the firewall engine's own address information, the required channel type, and the identification information of the cloud resources expected to be connected within the VPN. Based on this information, the network management system can establish an address translation node within the VPN, configure the firewall engine's address information as the target network address within that address translation node, and return the address information of the address translation node to the firewall engine. The firewall engine can record the address information of the address translation nodes within the VPN as a basis for establishing communication with those nodes.

[0097] By introducing address translation nodes (APNs) as forwarding components into virtual private networks (VPNs), target clients no longer need to manually configure access rules within the APNs. Instead, they can achieve automatic configuration of access rules within the APNs through a simple configuration within the firewall engine (specifying the VPN and the cloud resources they wish to connect to within it). This not only reduces the manual configuration costs for target clients but also effectively avoids configuration errors that often occur during manual configuration. Furthermore, the target network addresses set within the APNs are tamper-proof. Even if the APNs are attacked, the access control process will not be affected, thus effectively reducing the APNs' exposure surface and consequently mitigating the risk of cloud resource leaks.

[0098] In summary, this embodiment provides several exemplary product forms of forwarding components and offers optional creation schemes for these exemplary forwarding components. It can be seen that this embodiment allows for flexible selection of forwarding components for the virtual private networks that the firewall engine needs to manage, and access rules automatically take effect within the forwarding components. Furthermore, all selected forwarding components possess immutable security attributes, effectively ensuring the security of access rules within the forwarding components.

[0099] In the above or following embodiments, as mentioned above, the firewall engine can be implemented in various ways to interoperate with forwarding components in different virtual private networks.

[0100] In this embodiment, the firewall engine can respond to a configuration operation to determine the interoperability mode configured for any virtual private network (VPN) it manages; and establish an interoperability link with the forwarding components in the VPN according to the interoperability mode. The firewall engine can support multiple interoperability modes, which indicate the network communication technology used when establishing the interoperability link.

[0101] In this embodiment, the interconnection mode of each virtual private network can be manually specified by the customer or automatically configured by the firewall engine; this embodiment does not limit this.

[0102] In this embodiment, the firewall engine can employ multiple interoperability modes to interoperate with forwarding components in different VPNs. Furthermore, there can be compatibility relationships between the interoperability modes and the implementation forms of the forwarding components. Thus, during the configuration phase, the target client can configure the implementation form of the forwarding components used for the VPNs it manages within the firewall engine. The firewall engine can automatically select the appropriate interoperability mode based on the interoperability modes adapted to that implementation form. For a given forwarding component, it can be adapted to one or more interoperability modes. Of course, this is merely an example. During the configuration phase, the target client can also directly configure the implementation form of the forwarding components corresponding to the VPN and the interoperability mode used within the firewall engine, without the firewall engine automatically selecting the mode. This embodiment does not limit this approach.

[0103] In this way, the firewall engine has already set the implementation form of the forwarding component corresponding to the virtual private network and the interoperability mode adopted.

[0104] Following the examples of several exemplary forwarding components presented in the above embodiments, the following provides an exemplary description of the process of establishing interoperability between the firewall engine and the forwarding components within the virtual private network.

[0105] Access control component + first interoperability mode:

[0106] For a firewall engine, if the interconnection mode configured for any virtual private network is the first interconnection mode and the forwarding component is the access control component, then the network interface card (NIC) device information on the access control component can be obtained; based on the NIC device information, an interconnection link is established between the first elastic NIC device on the firewall engine and the second elastic NIC device on the access control component.

[0107] The network interface card (NIC) device information includes the network address of the elastic NIC device, such as a MAC address (Media Access Control Address, MAC) or an IP address (Internet Protocol Address, IP). No further examples are provided here.

[0108] In this embodiment, elastic network interface devices are deployed on the firewall engine and the access control component, respectively. Customers can set interoperability rules in the elastic network interface devices based on the network address of the firewall engine. For example, the access control component can allow interoperability from network addresses of a specified firewall engine, while denying access from other network addresses, thereby achieving secure isolation of network access.

[0109] Understandably, the firewall engine carries the target source network address in the cloud resource access requests sent through the elastic network interface card (NIC), but it cannot detect the cloud resource targeted by the access request. Therefore, when the NIC is exposed to the public network, even if it is attacked, the attacker cannot know the cloud resource targeted by the access request. Furthermore, the NIC has interconnection rules configured to prevent attackers from knowing the routing relationship between the target source network address and the destination network address, thus preventing them from tampering with the target source network address and preventing the NIC from becoming a point of attack.

[0110] The preferred embodiment of the first and second elastic network interface cards (NICs) described above is an Elastic Network Interface (ENI). An ENI can be understood as a virtual network interface that provides network interfaces and network addresses for cloud resources in a Virtual Private Network (VPN).

[0111] It is understood that the network communication technology used in the first interoperability mode here is network interface card (NIC) technology. Of course, besides establishing an interoperability link between the firewall engine and access control components through a flexible NIC device as in this embodiment, other interoperability modes (i.e., network communication technologies) can also be used to establish this link, such as software-defined networking switches (SDN). This embodiment does not limit this approach and will not provide further examples.

[0112] Address translation node + second interconnection mode:

[0113] For the firewall engine, if the interconnection mode configured for any virtual private network is the second interconnection mode, the single tunnel address information associated with the address translation node can be obtained; using single tunnel technology, a single tunnel is established with the address translation node based on the single tunnel address information, as the interconnection link.

[0114] Here, the single tunnel address information associated with the address translation node includes, but is not limited to, the public network address used when communicating with the public network, and the private network address used when communicating with cloud resources in the virtual private network. No further examples will be given.

[0115] In the second interconnection mode, the network communication technology used is single tunnel technology.

[0116] Single-tunnel technology transmits data by creating a separate tunnel within the network. In a virtual private network (VPN) scenario, single-tunnel technology can establish a secure communication link between different VPNs corresponding to a target client, enabling the target client to access cloud resources within different VPNs.

[0117] Figure 3 A schematic diagram of a single-tunneling technology provided for an exemplary embodiment of this application. (Reference) Figure 3 The VPN network segment is 172.16.1.0 / 24, which represents the range of network addresses usable within this VPN. This VPN includes Cloud Resource A and Cloud Resource B. Cloud Resource A has a network address of 172.16.1.1, and Cloud Resource B has a network address of 172.16.1.1:80. Cloud Resource B can communicate with the firewall engine within the firewall system via an Application Load Balancer (ALB). When Cloud Resource A sends data from the VPN to the firewall engine, Cloud Resource B translates Cloud Resource A's network address to a public IP address (i.e., 172.16.1.1 to 172.16.1.1:80), thus preventing the network address of Cloud Resource A from being exposed on the firewall engine side. Since the single tunnel established by ALB connects cloud resource B and the firewall engine, when the firewall engine accesses cloud resource A, it needs to access cloud resource A through cloud resource B. For the firewall engine, it knows the network address of cloud resource B, but it does not know the network address of cloud resource A. Figure 3 The single-tunnel technology principle described herein is merely exemplary, and the details of the principle described in this paragraph are also exemplary. This embodiment is not limited thereto, and the description herein should not limit the scope of protection of this application.

[0118] It is understood that the address translation node in this embodiment can be understood as described above. Figure 3 Cloud resource B in the virtual private network. As mentioned earlier, since the address translation node is bound to the target cloud resource in the virtual private network, a single tunnel can be established using single tunnel technology, with the virtual private network as the dimension. The single tunnel is used to connect the firewall engine and the aforementioned address translation node.

[0119] In this embodiment, the cloud service used to implement the single tunnel technology is not limited; for example, it could be the SingleTunnel service. The SingleTunnel service is an application load balancer (ALB) service that can be used to establish network channels between different virtual private networks.

[0120] Accordingly, when the VPN managed by the firewall engine adopts the aforementioned second interconnection mode, a single tunnel can be applied for in the VPN. The two endpoints of this tunnel are the firewall engine and the address translation node in the VPN, respectively. Since the network address (i.e., the Virtual IP Address (VIP)) of the address translation node is usually set independently according to the ALB load balancing function, it will not occupy the customer's network address pool. This avoids the problem mentioned in the above security group configuration method where the firewall engine is limited by the number of elastic network interfaces attached to cloud resources, thereby reducing the risk of address conflicts and improving the flexibility of address allocation.

[0121] In summary, in this embodiment, based on the implementation of the forwarding component in the firewall engine for any virtual private network and the selected interoperability mode, an interoperability link can be established between the firewall engine and the forwarding component in the virtual private network. Furthermore, since the firewall engine supports multiple interoperability modes, there can be multiple interoperability links established under a single firewall engine. This prevents access control process interruptions due to the failure of a single type of interoperability link, thereby ensuring the continuity of the access control process and improving the flexibility of the interoperability process.

[0122] In the above or following embodiments, as mentioned above, the forwarding component can employ various implementation methods to forward cloud resource access requests to the target cloud resource. One optional implementation method is provided below.

[0123] In this optional implementation, it is proposed that: if the forwarding component in the target virtual private network is an access control component, the access control component can resolve the target source network address in the cloud resource access request; if the target source network address exists in the filtering rules within the access control component, the destination network address that has a routing relationship with the target source network address is found; and the cloud resource access request is forwarded to the target cloud resource pointed to by the destination network address.

[0124] As mentioned earlier, the access control component management system can set filtering rules within the access control component based on the target source network address and the destination network address. In this embodiment, the cloud resource access request forwarded by the firewall engine to the access control component carries the target source network address. The access control component can match the target source network address in the cloud resource access request with the source network address in the filtering rules. After matching, it finds the filtering rules that match the target source network address in the cloud resource access request. Based on the routing relationship between the target source network address in the filtering rules and the collected destination network addresses, it finds the destination network address that matches the cloud resource access request, that is, it finds the destination network address that has a routing relationship with the target source network address.

[0125] Using the above processing method, the cloud resource access requests forwarded by the firewall engine do not carry customer identity information, but only the target source network address. The access control component can then determine the destination network address that matches the cloud resource access request, thereby preventing the leakage of the target customer of the cloud resource access request during transmission. Moreover, since the filtering rules within the access control component are immutable, finding the destination network address of the cloud resource access request based on the filtering rules is accurate and secure.

[0126] In this scenario, the target cloud resource can be a load balancer node or a cloud computing node. If the target cloud resource is a load balancer node, the load balancer node can select a target cloud computing node whose load status matches the load balancing rules from the cloud computing nodes it manages, according to preset load balancing rules, and forward the cloud resource access request to the target cloud computing node.

[0127] Server Load Balancer (SLB) can be understood as a service that distributes traffic on demand. By distributing traffic to different cloud resources, it can expand the service throughput capacity of the access control system and eliminate single points of failure in the access control system, thereby improving the availability of the access control system.

[0128] Here, cloud computing nodes can be understood as the Elastic Compute Service (ECS) cloud servers mentioned earlier. (Reference) Figure 2 As shown, cloud resources A-3 and cloud resources A-4 can be understood as cloud computing nodes. The load balancing node can select target cloud computing nodes that meet the load balancing rules from cloud resources A-3 and cloud resources A-4.

[0129] It is understandable that load balancing rules in a load balancing node can be configured in various ways. For example, a weight can be assigned to each cloud computing node based on the usage scenario of the load balancing node, and the cloud resource access requests can be distributed according to the weight ratio. Here, the content and configuration method of the load balancing rules are not limited, as long as the cloud resource access requests are distributed to the target cloud computing nodes according to the load balancing rules.

[0130] As can be seen, the access control component can forward cloud resource access requests to the target cloud resource according to filtering rules. As mentioned earlier, the target cloud resource includes load balancing nodes or cloud computing nodes. This leverages the immutability of filtering rules to help the access control component accurately determine the destination network address of the cloud resource access request. It is understood that customers can also specify the target cloud resource when deploying the firewall engine; this embodiment does not limit this.

[0131] In this optional implementation, it is also proposed that: if the forwarding component in the target virtual private network is an address translation node, the address translation node queries the network address corresponding to the firewall engine from the data packets sent by the firewall engine. The data packets are obtained by the firewall engine after encapsulating the cloud resource access request; if the network address corresponding to the firewall engine is detected to be the target network address, the cloud resource access request is forwarded to the target cloud resource bound to the address translation node.

[0132] As mentioned earlier, the address translation node is configured with the target network address that is allowed to trigger the address translation operation. The target network address can be understood as the public network address of the firewall engine (i.e., the network address corresponding to the firewall engine). When the firewall engine forwards the data packet of the cloud resource access request to the address translation node, it will carry this public network address.

[0133] Similarly, in this case, the target cloud resource can also be a load balancer node or a cloud computing node. If the target cloud resource is a load balancer node, the load balancer node can select a target cloud computing node whose load status meets the load balancing rules from the cloud computing nodes it manages, according to the preset load balancing rules; and forward the cloud resource access request to the target cloud computing node.

[0134] Based on this, the address translation node can match the network address corresponding to the firewall engine carried in the data packet with the target network address. If the network address corresponding to the firewall engine matches the target network address, the cloud resource access request is forwarded to the target cloud resource bound to the address translation node. If the network address corresponding to the firewall engine fails to match the target network address, the forwarding operation for the cloud resource access request cannot be performed, and a response explaining the reason for the forwarding failure can be sent to the firewall engine. Moreover, as mentioned earlier, the address translation node is used to convert the network address of the cloud resource into a public IP address. It can be understood that when the target cloud resource is returned to the address translation node, the address translation node will convert the network address of the target cloud resource into a public IP address. Therefore, when the address translation node returns the target cloud resource to the firewall engine, the network address of the target cloud resource will not be exposed, thereby ensuring the security of the target cloud resource during transmission.

[0135] In summary, this embodiment provides access control schemes within a virtual private network for several exemplary forwarding components. It can be seen that, based on the access rules within the forwarding component, the forwarding component can securely and seamlessly forward cloud resource access requests to appropriate target cloud resources.

[0136] Figure 4This is a flowchart illustrating an access control method provided in this embodiment. The method is applicable to any firewall engine deployed for a target customer. The firewall engine is deployed outside of multiple virtual private networks (VPNs) corresponding to the target customer. The firewall engine is communicatively connected to the VPNs it needs to manage, and a forwarding component that communicates with the firewall engine is deployed within the VPNs it needs to manage. (Reference) Figure 4 The method includes:

[0137] Step S401: In response to receiving a cloud resource access request for the target customer;

[0138] Step S402: Select a target virtual private network (VPN) from the VPNs that need to be managed, which is compatible with the cloud resource access request;

[0139] Step S403: Forward the cloud resource access request to the forwarding component in the target virtual private network, so that the cloud resource access request can be access controlled by the forwarding component in the target virtual private network according to the set access rules.

[0140] In an optional embodiment, the method may further include:

[0141] In response to a configuration operation, trigger the creation of a forwarding component in any virtual private network that needs to be managed;

[0142] Each of the forwarding components has access rules set to prevent tampering.

[0143] In an optional embodiment, when triggering the creation of a forwarding component in any virtual private network (VPN) to be managed, the method includes: if the forwarding component configured for any VPN to be managed is an access control component, then if no access control component has been created in the VPN, triggering the creation of an access control component in the VPN, wherein the access control scope of the access control component is the cloud resources within the VPN.

[0144] The access control component contains filtering rules that prohibit tampering. These filtering rules include allowed source network addresses, which are the network addresses of the initiator of the cloud resource access request.

[0145] In an optional embodiment, the method may further include:

[0146] Send an access control component creation request for the virtual private network to the access control component management system. The access control component creation request contains the source network address that the virtual private network needs to be responsible for.

[0147] The access control component management system is used to create the access control component in the virtual private network; collect the network addresses of each cloud resource in the virtual private network as destination network addresses; and establish the routing relationship between the source network address included in the access control component creation request and the collected destination network addresses as the filtering rules within the access control component.

[0148] In an optional embodiment, the method may further include:

[0149] In response to the configuration operation, the interoperability mode configured for the virtual private network is determined;

[0150] According to the described interconnection mode, establish an interconnection link with the forwarding components in the virtual private network;

[0151] The firewall engine supports multiple interoperability modes, which indicate the network communication technology used when establishing an interoperability link.

[0152] In an optional embodiment, establishing an interconnection link with the forwarding component in the virtual private network according to the interconnection mode includes:

[0153] If the interoperability mode is the first interoperability mode and the forwarding component is an access control component, then obtain the network interface card device information on the access control component;

[0154] Based on the network interface card (NIC) device information, an interconnection link is established between the first elastic NIC device on the firewall engine and the second elastic NIC device on the access control component.

[0155] In an optional embodiment, the method may further include:

[0156] If the forwarding component in the target virtual private network is an access control component, then the cloud resource access request is forwarded to the access control component.

[0157] In one alternative embodiment, triggering the creation of a forwarding component in any of the virtual private networks requiring control includes:

[0158] If the forwarding component configured for any virtual private network that needs to be managed is an address translation node, then the creation of an address translation node in the virtual private network is triggered, and the address translation node is bound to the target cloud resource in the virtual private network;

[0159] The address translation node is configured with target network addresses that are allowed to trigger address translation operations and are prohibited from being tampered with.

[0160] In an optional embodiment, establishing an interconnection link with the forwarding component in the virtual private network according to the interconnection mode includes:

[0161] If the interoperability mode is the second interoperability mode and the forwarding component is an address translation node, then obtain the single tunnel address information associated with the address translation node;

[0162] Using single-tunnel technology, a single tunnel is established between the address translation node and the single tunnel address information, serving as the interconnection link.

[0163] In an optional embodiment, the method may further include:

[0164] If the forwarding component in the target virtual private network is an address translation node, then the cloud resource access request is forwarded to the address translation node.

[0165] Figure 5 A flowchart illustrating an exemplary embodiment of this application provides an access control method applicable to forwarding components deployed in any virtual private network (VPN) corresponding to a target customer. In addition to multiple VPNs corresponding to the target customer, at least one firewall engine is deployed for the target customer. Each firewall engine communicates with the forwarding components within the VPN it needs to manage. (Refer to...) Figure 5 The method includes:

[0166] Step S501: Receive cloud resource access request;

[0167] Step S502: If the cloud resource access request is forwarded by a firewall engine that has interconnected with the forwarding component, then access control is performed on the cloud resource access request in the virtual private network according to the set access rules.

[0168] In an optional embodiment, the method may further include:

[0169] If the forwarding component is an access control component, then the target source network address in the cloud resource access request is parsed.

[0170] If the target source network address exists in the preset filtering rules, then find the destination network address that has a routing relationship with the target source network address;

[0171] The cloud resource access request is forwarded to the target cloud resource pointed to by the destination network address.

[0172] In an optional embodiment, the method may further include: the target cloud resource includes a load balancing node or a cloud computing node; if the target cloud resource is a load balancing node, the target cloud resource is used to select a target cloud computing node whose load status conforms to the load balancing rules from the cloud computing nodes it manages, according to preset load balancing rules; and forward the cloud resource access request to the target cloud computing node.

[0173] In an optional embodiment, the method may further include:

[0174] If the forwarding component is an address translation node, then the network address corresponding to the firewall engine is queried from the data packet sent by the firewall engine. The data packet is obtained by the firewall engine after encapsulating the cloud resource access request.

[0175] If the network address corresponding to the firewall engine is detected to be the target network address, the cloud resource access request is forwarded to the target cloud resource bound to the address translation node.

[0176] It is worth noting that the technical details of the above-mentioned embodiments of the access control method can be referred to the relevant descriptions of the access control system in the foregoing embodiments. To save space, they will not be repeated here, but this should not cause any loss to the scope of protection of this application.

[0177] Figure 6 This is a schematic diagram of the structure of a computing device provided in another embodiment of this application. For example... Figure 6 As shown, the computing device includes a memory 60 and a processor 61.

[0178] Memory 60 is used to store computer programs and can be configured to store various other data to support operation on the computing device. Examples of this data include instructions for any application or method operating on the computing device, contact data, phone book data, messages, pictures, videos, etc.

[0179] The memory 60 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk or optical disk.

[0180] The processor 61, coupled to the memory 60, is used to execute the computer program in the memory 60 to implement the access control method corresponding to the forwarding component set in the aforementioned firewall engine or any virtual private network.

[0181] Furthermore, such as Figure 6 As shown, the computing device also includes other components such as a power supply component 62. Figure 6 The diagram only shows some components and does not mean that the computing device includes only these components. Figure 6 The components shown.

[0182] Accordingly, embodiments of this application also provide a computer-readable storage medium storing a computer program, which, when executed, can perform the steps that can be executed by the computing device described in the above embodiments.

[0183] Accordingly, this application also provides a computer program product, wherein the computer program contained herein, when executed, can perform the steps that can be executed by the computing device described above in the above embodiments.

[0184] Figure 7 This is an exemplary structural diagram of a computer program product provided in another embodiment of this application. For example... Figure 7 As shown, this computer program product can be implemented as a firewall engine and deployed within a controlled area. The firewall engine internally includes a forwarding component module and a cloud resource module. The forwarding component module can be used to mount network interface cards (NICs), request access control components, and request single tunnels, etc. The cloud resource module provides cloud computing node interfaces, virtual private network (VPN) interfaces, and load balancer node interfaces. These interfaces are used to support the configuration information of the required interconnected cloud computing nodes, the required controlled VPN, and the required load balancer nodes, respectively. Interface technologies (e.g., Open Application Programming Interfaces, OpenAPIs) can be used to implement the functions of the forwarding component module and the cloud resource module.

[0185] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0186] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0187] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0188] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0189] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.

[0190] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0191] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0192] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0193] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation portals are provided for users to choose to authorize or refuse.

[0194] The above description is merely an embodiment of this application and is not intended to limit this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. An access control system, characterized in that, It includes at least one firewall engine deployed for the target customer. The at least one firewall engine is deployed outside of multiple virtual private networks corresponding to the target customer. Each firewall engine is communicatively connected to the virtual private network it needs to manage, and a forwarding component that communicates with the firewall engine is deployed in the virtual private network it needs to manage. The firewall engine is configured to, in response to receiving a cloud resource access request for the target customer, select a target virtual private network (VPN) from the VPNs to be managed that is compatible with the cloud resource access request. The cloud resource access request is forwarded to the forwarding component in the target virtual private network; The forwarding component in the target virtual private network is used to perform access control on the cloud resource access requests according to the set access rules.

2. The system according to claim 1, characterized in that, The firewall engine is also used for: In response to a configuration operation, trigger the creation of a forwarding component in any virtual private network that needs to be managed; Each of the forwarding components has access rules set to prevent tampering.

3. The system according to claim 2, characterized in that, When the firewall engine triggers the creation of a forwarding component in any virtual private network requiring management, it is also used for: If the forwarding component configured for any VPN that needs to be managed is an access control component, then if no access control component has been created in the VPN, the creation of an access control component in the VPN will be triggered; the access control scope of the access control component is the cloud resources within the VPN. The access control component contains filtering rules that prohibit tampering. These filtering rules include allowed source network addresses, which are the network addresses of the initiator of the cloud resource access request.

4. The system according to claim 3, characterized in that, When the firewall engine triggers the creation of an access control component in the virtual private network, it is used for: Send an access control component creation request for the virtual private network to the access control component management system. The access control component creation request contains the source network address that the virtual private network needs to be responsible for. The access control component management system is used to create the access control component in the virtual private network; collect the network addresses of each cloud resource in the virtual private network as destination network addresses; and establish the routing relationship between the source network address included in the access control component creation request and the collected destination network addresses as the filtering rules within the access control component.

5. The system according to any one of claims 1-4, characterized in that, If the forwarding component in the target virtual private network is an access control component, then the access control component is used to resolve the target source network address in the cloud resource access request; If the target source network address exists in the filtering rules within the access control component, then find the destination network address that has a routing relationship with the target source network address; and forward the cloud resource access request to the target cloud resource pointed to by the destination network address.

6. The system according to claim 5, characterized in that, The target cloud resource includes a load balancer node or a cloud computing node. If the target cloud resource is a load balancer node, then the target cloud resource is used for: According to the preset load balancing rules, target cloud computing nodes whose load status conforms to the load balancing rules are selected from the cloud computing nodes under its control. The cloud resource access request is forwarded to the target cloud computing node.

7. The system according to claim 2, characterized in that, When the firewall engine triggers the creation of a forwarding component in any virtual private network requiring management, it is used for: If the forwarding component configured for any virtual private network that needs to be managed is an address translation node, then the creation of an address translation node in the virtual private network is triggered, and the address translation node is bound to the target cloud resource in the virtual private network; The address translation node is configured with target network addresses that are allowed to trigger address translation operations and are prohibited from being tampered with.

8. The system according to claim 7, characterized in that, If the forwarding component in the target virtual private network is an address translation node, then the address translation node is used to query the network address corresponding to the firewall engine from the data packets sent by the firewall engine, the data packets being obtained by the firewall engine after encapsulating the cloud resource access request; if the network address corresponding to the firewall engine is detected to be the target network address, the cloud resource access request is forwarded to the target cloud resource bound to the address translation node.

9. The system according to claim 2, characterized in that, The firewall engine is also used for: In response to the configuration operation, the interoperability mode configured for the virtual private network is determined; According to the described interconnection mode, establish an interconnection link with the forwarding components in the virtual private network; The firewall engine supports multiple interoperability modes, which indicate the network communication technology used when establishing an interoperability link.

10. The system according to claim 9, characterized in that, When the firewall engine establishes an interconnection link with the forwarding components in the virtual private network according to the interconnection mode, it is used to: If the interoperability mode is the first interoperability mode and the forwarding component is an access control component, then obtain the network interface card device information on the access control component; Based on the network interface card (NIC) device information, an interconnection link is established between the first elastic NIC device on the firewall engine and the second elastic NIC device on the access control component.

11. The system according to claim 9, characterized in that, When the firewall engine establishes an interconnection link with the forwarding components in the virtual private network according to the interconnection mode, it is used to: If the interoperability mode is the second interoperability mode and the forwarding component is an address translation node, then obtain the single tunnel address information associated with the address translation node; Using single-tunnel technology, a single tunnel is established between the address translation node and the single tunnel address information, serving as the interconnection link.

12. An access control method, characterized in that, The method is applicable to any firewall engine deployed for a target customer, wherein the firewall engine is deployed outside of multiple virtual private networks corresponding to the target customer, the firewall engine is communicatively connected to the virtual private networks it needs to manage, and a forwarding component that interoperates with the firewall engine is deployed in the virtual private networks it needs to manage. In response to receiving a cloud resource access request for the target customer; Select the target virtual private network (VPN) that is compatible with the cloud resource access request from the VPNs that need to be managed; The cloud resource access request is forwarded to the forwarding component in the target virtual private network, so that the cloud resource access request can be controlled by the forwarding component in the target virtual private network in accordance with the set access rules.

13. The method according to claim 12, characterized in that, The method further includes: In response to the configuration operation, the interoperability mode configured for the virtual private network is determined; According to the described interconnection mode, establish an interconnection link with the forwarding components in the virtual private network; The firewall engine supports multiple interoperability modes, which indicate the network communication technology used when establishing the interoperability link.

14. An access control method, characterized in that, The method is applicable to forwarding components deployed in any virtual private network (VPN) corresponding to a target customer. In addition to multiple VPNs corresponding to the target customer, at least one firewall engine is deployed for the target customer. Each firewall engine interoperates with the forwarding components within the VPN it needs to manage. Receive cloud resource access requests; If the cloud resource access request is forwarded by a firewall engine that has interconnected with the forwarding component, then access control for the cloud resource access request is performed in the virtual private network in accordance with the set access rules.

15. A computing device, characterized in that, Including memory and processor; The memory is used to store one or more computer instructions; The processor is coupled to the memory and is configured to execute one or more computer instructions for performing the access control method according to any one of claims 12-14.

16. A computer-readable storage medium for storing computer instructions, characterized in that, When the computer instructions are executed by one or more processors, the one or more processors perform the access control method according to any one of claims 12-14.

17. A computer program product, characterized in that, Includes a computer program, wherein when the computer program is executed by a processor, it causes the processor to perform the access control method according to any one of claims 12-14.