In Alibaba Cloud, your VPC logically isolates your virtual network.
After creating a VPC, you can create VSwitches to further segment
your virtual private network, as shown in the following diagram.
To secure inbound traffic, both DNAT and SNAT must be configured
on the firewall.
Inbound traffic originates from a client outside of your VPC
going to the VM-Series firewall untrust interface. The firewall
inspects the traffic and sends it to an application through the
trust interface. Traffic returning from the application must travel through
the VM-Series firewall trust interface, which inspects the return
traffic flow and sends it out through the untrust interface.
Outbound traffic typically originates from an external application.
Typically you route the internet facing traffic within a VPC to
a NAT gateway (with EIP attached). To do this, add a default gateway
route in the VPC routing table, with the VM-Series firewall IP address
of the application subnet as the next hop. Configure SNAT using
the untrust interface IP to ensure traffic originating from the
internet returns through the VM-Series firewall.