Secure North-South Traffic on Alibaba Cloud

Learn how to use VSwitches to segment your VPN into subnets.
After creating a VPC, you can create VSwitches to segment your virtual private network into subnets. This sample features a VPC with CIDR 192.168.0.0/16. Four VSwitches create four subnets.
VSwitch Name
Interface
CIDR
mgmt
eth0
192.168.0.0/24
untrust
eth1
192.168.1.0/24
web
eth2
192.168.2.0/24
db
eth3
192.168.3.0/24
In the following diagram, the VM-Series firewall has one leg in each VSwitch. Typically inbound traffic is initiated when an external client hits the VM-Series firewall’s Untrust interface. The firewall inspects the traffic and sends it to an application. For example, the firewall sends traffic to a Web server through the Trust interface. The traffic returning from the Web server must hit the VM-Series firewall’s Trust interface. The firewall inspects the return traffic flow, and sends it out through the Untrust interface.
To secure inbound traffic, both DNAT and SNAT must be configured on the firewall.
  1. Create NAT rules for inbound traffic.
    Here’s a sample of the NAT rules for inbound traffic protection.
               <nat> <rules> <entry name="inbound_web"> <source-translation> <dynamic-ip-and-port> <interface-address> <interface>ethernet1/2</interface> </interface-address> </dynamic-ip-and-port> </source-translation> <destination-translation> <translated-address>web_server</translated-address> </destination-translation> <to> <member>untrust</member> </to> <from> <member>any</member> </from> <source> <member>any</member> </source> <destination> <member>fw_untrust</member> </destination> <service>any</service> <to-interface>ethernet1/1</to-interface> </entry> </rules> </nat> <address> <entry name="fw_untrust"> <ip-netmask>192.168.1.4</ip-netmask> </entry> <entry name="fw_trust"> <ip-netmask>192.168.2.201</ip-netmask> </entry> <entry name="web_server"> <ip-netmask>192.168.2.203</ip-netmask> </entry> </address>
  2. Secure outbound traffic.
    As shown in the diagram above, an application initiates the outbound traffic. For example, a web server must run
    yum install
    to update rpm packages. Typically the internet facing traffic within a VPC is routed to a NAT gateway (with an EIP attached). To secure outbound traffic, you must force outbound traffic to go through the VM-Series firewall.
    1. Add a default gateway route in the VPC routing table with firewall IP in the subnet of the web server as NH.
    2. View your entry in the route table.
    3. Configure SNAT rules using the Untrust interface IP to ensure traffic returning from the internet goes through the VM-Series firewall.
      Here's a sample SNAT configuration.
      <nat> <rules> <entry name="outbound_web"> <source-translation> <dynamic-ip-and-port> <interface-address> <interface>ethernet1/1</interface> </interface-address> </dynamic-ip-and-port> </source-translation> <to> <member>untrust</member> </to> <from> <member>trust</member> </from> <source> <member>any</member> </source> <destination> <member>any</member> </destination> <service>any</service> <to-interface>any</to-interface> </entry> </rules> </nat>

Recommended For You