Prisma Access Integrations
  • Prisma Access Integrations
  • Prisma Access Documentation
  • All Documentation
>
Set up the Alibaba Cloud Infrastructure
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access
  3. Onboard Mobile Users and Branch Offices in Mainland China
  4. Onboard Branch Offices in Mainland China to Prisma Access
  5. Set up the Alibaba Cloud Infrastructure
Download PDF
Prisma Access

Set up the Alibaba Cloud Infrastructure

Table of Contents
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
To secure branch offices in mainland China with Prisma Access, you create two separate VPCs in Alibaba cloud, create a CEN to connect the two VPCs, then create Linux instances in the Alibaba Cloud VPCs to act as CPE routers as shown in the following workflow.
After you create the VPCs in Alibaba Cloud, use this task to deploy instances in the VPCs you created.
Before you create the VPCs, you must complete the following tasks. These tasks are the same tasks you perform when you configure Alibaba cloud to secure mobile users.
  1. Deploy the router instance for Router 2.
    1. In Alibaba Cloud, select Elastic Compute Service (ECS); then, select Instances.
    2. Select Create Instance.
    3. Select Custom, then select the preferred billing method.
      Select the same Region and Zone that you selected for VPC 2.
    4. Select the following parameters:
      • In the Interface Type area, select a vCPU of 2 vCPU and a Memory of 4 GiB.
      • In the Image area, select Linux and 16.04 64bit.
      • In the Storage, leave the System Disk size as Ultra Disk 40 GiB.
    5. Select Networking at the bottom of the page to continue to the Networking area.
    6. Select the following parameters:
      • In the Network area, select VPC, then select the VPC you created and create a new security group for this instance.
      • In the Network Billing Method area, select Assign public IP.
      • In the Security Group area, select Create Security Group and create a security group that allows incoming connections on TCP port 22 and UDP ports 500 and 4500.
      • (Optional) If you require more restrictive rules, create them by adding authorization objects.
    7. Select Next: System Configurations.
    8. Create a new Key Pair or use an existing key pair for SSH access.
    9. Select Preview and review the information for the instance to make sure that it is correct; then, select Create Order.
      A page displays with the new instance.
    10. Test SSH connectivity by opening a CLI session and entering the ssh -i key file root@instance-ip, where key-file is the file in which you stored the key and instance-ip is the public IP of the instance shown in the previous screenshot as (Internet).
  2. Deploy the VM-series firewall instance for Router 1.
    Use the same steps you used in Step
    1
    for Router 1, substituting the Region and Zone that you use for VPC 1 instead of VPC 2.
  3. Decide which static private IP addresses you want to use for the VM-series instance and make a note of them.
  4. Verify that you can connect to the management interface of the firewall by opening a browser and entering http://public-ip-of-primary-interface, where public-ip-of-primary-interface if the public IP address of the primary interface.

© 2025 Palo Alto Networks, Inc. All rights reserved.