>
    Strata Copilot
    Deploy the VM-Series Firewall on Alibaba Cloud
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Alibaba Cloud
    4. Deploy the VM-Series Firewall on Alibaba Cloud
    Download PDF
    VM-Series

    Deploy the VM-Series Firewall on Alibaba Cloud

    Table of Contents

    Deploy the VM-Series Firewall on Alibaba Cloud

    Learn how to use the Alibaba Cloud console to create the networks to deploy the VM-Series firewall with multiple interfaces.
    Where Can I Use This?What Do I Need?
    • Alibaba Cloud International Regions subscription
    • Alibaba Cloud Mainland China subscription
    • VM-Series License (BYOL)
    • VM-Series plugin
    • Panorama
    The VM-Series firewall assumes a minimum of three interfaces: management, untrust, and trust. When you create an Alibaba Cloud VPC, it's logically isolated. To segment your virtual private network into subnets you create VS.witches, each having its own CIDR block. Because the VM-Series firewall has multiple interfaces, it can inspect traffic on all subnets.
    Typically external inbound traffic encounters the VM-Series firewall untrust interface. The firewall inspects the inbound traffic and sends it to an application through the trust interface. Return traffic from the application goes to the firewall’s trust interface, where the firewall inspects the return traffic and sends it out through the untrust interface.
    Use the following steps to deploy the Active/Passive HA on Alibaba Cloud:

    Create a VPC and Configure Networks

    Use the Alibaba Cloud console to create a VPC, VS.witches, security groups, and security group rules.
    All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
    1. Open the VPC console and select your region from the menu. Note, the region you select must provide one of the instance types that Palo Alto Networks supports.
    2. From the Alibaba Cloud Console homepage, select Products and ServicesNetworkingVirtual Private Cloud.
    3. Create a VPC.
      In this step you create a VPC and Management, Untrust, and Trust VS.witches. The ECS console creates a VPC and a switch using the same form.
      1. Select Create VPC.
        Specify the VPC name, an IPv4 CIDR Block, and a description. Refer to Create a VPC.
        PropertyValue
        NameYour choice
        IPv4 CIDR BockYour choice. Refer to the CIDR block FAQ.
        Resource GroupYour Choice.
      2. Select Create VSwitch.
        • Name the vSwitch Management.
        • Choose the Zone, specify an IPv4 CIDR Block that is a subset of the block you specified for the VPC, and specify a Description.
        • At the bottom, click Add to add another vSwitch (don't click OK until you have added all VS.witches).
        Refer to Create a VSwitch.
      3. Add the Untrust vSwitch in the same manner.
      4. Add the Trust vSwitch.
      5. Click OK.
        View the VPC details and make any changes before you click Complete.
    4. Create security groups and security group rules.
      • From the Alibaba Cloud Console homepage, select Elastic Compute ServiceNetworking & SecuritySecurity Groups.
      • On the upper right, click Create Security Group.
      1. Create the management security group.
        Refer to Create a security group to fill out the following fields.
        PropertyValue
        TemplateCustomize
        Security Group NameManagement
        Security Group TypeBasic
        Network TypeVPC
        VPCSelect the VPC you created earlier.
        Resource GroupYour choice
        • Complete the form and click OK.
          ECS console prompts you to create rules for this security group. This task describes some basic security group rules that allow you to bring up the VM-Series firewall. You can create more rules to enforce your network security requirements.
      2. Select Create Rules Now and create rules for HTTPS and SSH.
        Select the Inbound tab, and click Add Security Group Rule.
        • Create an Inbound rule to allow HTTPS in this security group. For example:
          PropertyValue
          Rule DirectionInbound
          ActionAllow
          Protocol TypeHTTPS (443)
          Priority100
          Authorization Type
          Refer to Add security group rules.
          Authorization Object
        • Click Add Security Group Rule to create an inbound rule to allow SSH on the management interface.
          PropertyValue
          Rule DirectionInbound
          ActionAllow
          Protocol TypeCustomized TCP
          Port Range1/65535
          Authorization Type
          Refer to Add security group rules.
          Authorization Object
          Click OK and select Back to return to the Security Groups page.
      3. Select Create Security Group and create the Untrust security group.
        When prompted, create a rule for the Untrust security group.
        PropertyValue
        Rule DirectionInbound
        ActionAllow
        Protocol TypeCustom TCP
        Port Range1/65535
        Priority100
        Authorization Type
        Refer to Add security group rules.
        Authorization Object
        Click OK and select Back to return to the Security Groups page.
      4. Create the Trust security group.
        When prompted, click Add Security Group Rule and duplicate the Untrust rule.
        Continue to Create and Configure the VM-Series Firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.