At present, a virtual machine technology is commonly applied to various cloud computing environments, and a core idea of cloud computing is to uniformly manage and schedule a great number of resources (the resources herein include a storage resource, a computing resource, and various types of application software) connected using a network, to form a resource pool to provide a user with a service on demand. In the virtual machine technology, one or more virtual machines can be virtualized on one physical host, so that several or even dozens of virtual machines can share a hardware resource of one physical host, thereby improving utilization of the resource. However, the application of the virtual machine technology also brings new challenges to network security management. An existing physical security device protects security of a domain formed by physical hosts, for example, security of an internal local area network of a company, but cannot monitor traffic between virtual machines in a virtualized network formed by several virtual machines, especially virtual machines on a same host machine (in this specification, a physical host that provides a hardware resource for a virtual machine is referred to as a host machine). In addition, virtual machine migration also makes a static security policy no longer applicable, where the virtual machine migration refers to a phenomenon that a virtual machine originally implemented based on a hardware resource and a processing resource of one physical host is implemented by a hardware resource and a processing resource of another physical host.
In the prior art, whether traffic of a virtual machine in a virtualized network is monitored by a physical security device or by a secure virtual machine on a host machine, it requires that a security policy be dynamically adjusted when virtual machine migration occurs. Therefore, how to determine that virtual machine migration occurs becomes a key problem.
A current manner of determining virtual machine migration is that traffic of a virtual machine is completely imported into a switch, and the switch determines existence of the virtual machine. However, this manner requires a tailor-made switch that supports a protocol, for example, a switch that supports the Virtual Ethernet Port Aggregator (VEPA) protocol, and a virtual machine vendor also needs to provide support. Therefore, a deployment cost is high.