The VM-Series firewall assumes a minimum of three interfaces: management, untrust, and trust. When you create an Alibaba Cloud VPC, it is logically isolated. To segment your virtual private network into subnets you create VSwitches, each having its own CIDR block. Because the VM-Series firewall has multiple interfaces, it can inspect traffic on all subnets.

Typically external inbound traffic encounters the VM-Series firewall untrust interface. The firewall inspects the inbound traffic and sends it to an application through the trust interface. Return traffic from the application goes to the firewall’s trust interface. The firewall inspects the return traffic and sends it out through the untrust interface.

The following tasks demonstrate how to use the console to create the VM-Series firewall infrastructure.