To secure branch offices in mainland China with Prisma Access, you
create two separate VPCs in Alibaba cloud, create a CEN to connect the two VPCs,
then create Linux instances in the Alibaba Cloud VPCs to act as CPE routers as shown
in the following workflow.
After you create the VPCs in Alibaba Cloud,
use this task to deploy instances in the VPCs you created.
Before you create the VPCs, you must complete the following tasks. These tasks are the same tasks
you perform when you configure Alibaba cloud to secure mobile users.
Deploy
the router instance for Router 2.
In Alibaba Cloud, select
Elastic
Compute Service (ECS)
; then, select
Instances
.
Select
Create Instance
.
Select
Custom
, then select
the preferred billing method.
Select the same
Region
and
Zone
that
you selected for VPC 2.
Select the following parameters:
In the
Interface Type
area,
select a
vCPU
of
2 vCPU
and
a
Memory
of
4 GiB
.
In the
Image
area, select
Linux
and
16.04
64bit
.
In the
Storage
, leave the
System
Disk
size as
Ultra Disk 40 GiB
.
Select
Networking
at the bottom
of the page to continue to the
Networking
area.
Select the following parameters:
In the
Network
area, select
VPC
,
then select the VPC you created and create a new security group
for this instance.
In the
Network Billing Method
area,
select
Assign public IP
.
In the
Security Group
area, select
Create
Security Group
and create a security group that allows
incoming connections on TCP port 22 and UDP ports 500 and 4500.
(
Optional
) If you require more restrictive rules,
create them by adding authorization objects.
Select
Next: System Configurations
.
Create a new
Key Pair
or use
an existing key pair for SSH access.
Select
Preview
and review the
information for the instance to make sure that it is correct; then,
select
Create Order
.
A page
displays with the new instance.
Test SSH connectivity by opening a CLI session and
entering the
ssh -i
key file
root@
instance-ip
,
where
key-file
is the file in which you stored
the key and
instance-ip
is the public IP of the instance
shown in the previous screenshot as
(Internet)
.
Deploy the VM-series firewall instance for Router 1.
Use the same steps you used in Step 1 for Router
1, substituting the
Region
and
Zone
that
you use for VPC 1 instead of VPC 2.
Decide which static private IP addresses you want to
use for the VM-series instance and make a note of them.
Verify that you can connect to the management interface
of the firewall by opening a browser and entering
http://
public-ip-of-primary-interface
,
where
public-ip-of-primary-interface
if the public
IP address of the primary interface.