In recent years, there have been provided cloud infrastructure (also called as IaaS (Infrastructure as a Service)) that provides computing resources (such as storage, computer, etc.) and network resources as virtual resources to users via, for instance. As it is well known, with a cloud infrastructure platform, scale-out/in of virtual machines (VM) and configuration of a virtual network can be performed flexibly. Therefore, a user can dynamically configure virtual machines and a virtual network on a cloud infrastructure according to required specification, load and so forth on a user side system. As a result, it makes possible to achieve and operate a system having necessary and sufficient processing performance corresponding to load on a user side. A virtual machine (VM) is implemented on a virtualization mechanism (hypervisor or Virtual Machine Monitor (VMM)) that realizes the virtualization of a server (virtual machine server). By means of network virtualization (for instance NVF (Network Function Virtualization)), virtual networks are used for communication connection between a virtual machines and an external node, communication between virtual machines on a virtual machine server, and communication connection between a virtual machine and a management OS (Operating System).
A service control system that provides desired services to users by controlling virtual machines, virtual networks, and service components on each virtual machine is known. Here, the service components on a virtual machine are service components (for instance components such as software components corresponding to the functions required by an application) implemented on and functioning on a virtual machine. Patent Literature 1 discloses a system in which technology layers (combination of a physical machine, a virtual machine, an operating system, etc.) can be automatically configured to meet a resource request that is input by a user.
In a typical service control system of the related technology, for instance, addition and deletion of virtual machines and setting of configuration of a virtual network are manipulated using an API (Application Programming Interface) of a cloud infrastructure. In this service control system, a user can freely configure a network by designating a virtual port to connect a virtual machine to the created virtual network (refer to “2.1.2.3 Server Networks” of Non-Patent Literature 1). This service is realized by a virtual network service. For instance, as a service provided by the virtual network service, a network infrastructure service of a network equipment(s) (for instance router, firewall, load balancer, etc.) can be provided to a user as an on-demand service, though not limited thereto.
As a service provided by a virtual network service, for instance, for a user, a service control system, and a virtual machine service, a network equipment and a machine (server) on which a virtual machine(s) operate are set up basically only by manipulation of a virtual network and ports. For instance, a network can be configured so that communication is possible only between virtual ports belonging to the same virtual network. In a virtual machine service, for instance, virtual machines in a cloud resource or a data center are made available to a user, and the specification of a virtual machine can be changed. A virtual machine is logically connected to a port of a virtual network.
As a technology for achieving a virtual network service, there is a network virtualization technology using OpenFlow. For instance, Patent Literature 3 discloses a configuration in which a virtual network is provided by having a control apparatus operate an OpenFlow switch as a virtual node. Further, in Non-Patent Literature 2, there is description that a virtual network can be constructed with a combination of the OpenFlow switch and an OpenFlow controller called “sliceable switch,” and also description regarding setting by associating a virtual network with ports called “port-based binding”. In Non-Patent Literature 2, the port is specified by a switch ID, a port number in a switch, and VLAN ID (Virtual Local Area Network ID). The sliceable switch is a controller used when a network constituted by OpenFlow switches is used with the network being divided into a plurality of L2 (Layer 2) domains (slices). The OpenFlow switch compares predetermined information of the header of a received packet with the matching pattern of a flow entry, performs the operation (processing) defined in the corresponding action in the flow entry if they match, and sends the received packet to the sliceable switch that is a controller, using a Packet_In message if they do not match. Upon reception of the packet_In message, the sliceable switch performs, for instance, the following processing.
Determine an egress switch and port on the basis of the destination MAC address of the packet.
When the determined port and switch belong to the same slice as the slice to which the port that received the packet belongs, calculate the shortest path from the switch that received the packet to the egress switch, and set a flow for each switch on the path using a Flow Mod message.
Send the received packet to the egress switch using a Packet_Out message (forwarding instruction message) in order to have the received packet outputted from the determined port. Note that, with a port-based binding, a host ID, data path ID, port number, and VLAN ID are included for each slice.
For instance, a virtual network is utilized for communication between service components. In general, a virtual network is not connected to an external network or to the Internet in view of security concerns.
In general, a virtual network service in a cloud infrastructure is provided on a per site basis, as a result of which, when constructing a system straddling different sites, a user uses a VPN (Virtual Private Network) to make a virtual network connection between the sites. An inter-site VPN is realized by making a routing connection between private networks of different sites via a public network such as the Internet while securing security. In a VPN connection via the Internet, a site router (also known as “VPN device”) forwards a packet to a router (VPN device) in another site via the VPN connection. Further, in an inter-site VPN, by means of tunneling in which a plurality of communications between terminals within a site are put together to make them look like a communication between routers (VPN devices), encryption processing on the sender's side and decryption processing on the receiver's side are aggregated and performed by the routers (VPN device).
Patent Literature 2 describes a method that includes a step of starting the availability of access to a first private computer network from at least one remote computing system of a first client. In Patent Literature 2, a configurable network service provides a user who is a client of the service with secure private access to a computer network provided for the client by enabling a VPN (Virtual Private Network) connection or another secure connection between at least one remote computing system of the client and the provided computer network, or enables the client to remotely interact with the provided computer network in a private and secure manner using other security and/or authentication techniques. Patent Literature 4 discloses a configuration in which a virtual port is defined for each of a plurality of logical channels corresponding to connected sites for a physical line in a wide area network connecting different sites, and routing is performed so that transmitted data is assigned to the defined virtual port when the data is transmitted to another site. In Patent Literature 4, the configuration or deletion of a logical channel on the network's side triggers the generation or deletion of a virtual port, and routing is performed with a logical channel on the network's side as a virtual router port.
[Patent Literature 1]    Japanese Patent Kokai Publication No. JP2009-245409A
[Patent Literature 2]    Japanese Patent Kohyo Publication No. JP2012-511878A
[Patent Literature 3]    International Publication No. WO2012/090996
[Patent Literature 4]    Japanese Patent Kokai Publication No. JP2008-187236A