Secure North-South Traffic on Alibaba Cloud

Learn how to use VSwitches to segment your VPN into subnets.
After creating a VPC, you can create VSwitches to segment your virtual private network into subnets. This sample features a VPC with CIDR 192.168.0.0/16. Four VSwitches create four subnets.
VSwitch Name
Interface
CIDR
mgmt
eth0
192.168.0.0/24
untrust
eth1
192.168.1.0/24
web
eth2
192.168.2.0/24
db
eth3
192.168.3.0/24
In the following diagram, the VM-Series firewall has one leg in each VSwitch. Typically inbound traffic is initiated when an external client hits the VM-Series firewall’s Untrust interface. The firewall inspects the traffic and sends it to an application. For example, the firewall sends traffic to a Web server through the Trust interface. The traffic returning from the Web server must hit the VM-Series firewall’s Trust interface. The firewall inspects the return traffic flow, and sends it out through the Untrust interface.
ali_north_south.png
To secure inbound traffic, both DNAT and SNAT must be configured on the firewall.
  1. Create NAT rules for inbound traffic.
    Here’s a sample of the NAT rules for inbound traffic protection.
               <nat> <rules> <entry name="inbound_web"> <source-translation> <dynamic-ip-and-port> <interface-address> <interface>ethernet1/2</interface> </interface-address> </dynamic-ip-and-port> </source-translation> <destination-translation> <translated-address>web_server</translated-address> </destination-translation> <to> <member>untrust</member> </to> <from> <member>any</member> </from> <source> <member>any</member> </source> <destination> <member>fw_untrust</member> </destination> <service>any</service> <to-interface>ethernet1/1</to-interface> </entry> </rules> </nat> <address> <entry name="fw_untrust"> <ip-netmask>192.168.1.4</ip-netmask> </entry> <entry name="fw_trust"> <ip-netmask>192.168.2.201</ip-netmask> </entry> <entry name="web_server"> <ip-netmask>192.168.2.203</ip-netmask> </entry> </address>
  2. Secure outbound traffic.
    As shown in the diagram above, an application initiates the outbound traffic. For example, a web server must run
    yum install
    to update rpm packages. Typically the internet facing traffic within a VPC is routed to a NAT gateway (with an EIP attached). To secure outbound traffic, you must force outbound traffic to go through the VM-Series firewall.
    1. Add a default gateway route in the VPC routing table with firewall IP in the subnet of the web server as NH.
      ali_route_entry.png
    2. View your entry in the route table.
      ali_route_entry_list.png
    3. Configure SNAT rules using the Untrust interface IP to ensure traffic returning from the internet goes through the VM-Series firewall.
      Here's a sample SNAT configuration.
      <nat> <rules> <entry name="outbound_web"> <source-translation> <dynamic-ip-and-port> <interface-address> <interface>ethernet1/1</interface> </interface-address> </dynamic-ip-and-port> </source-translation> <to> <member>untrust</member> </to> <from> <member>trust</member> </from> <source> <member>any</member> </source> <destination> <member>any</member> </destination> <service>any</service> <to-interface>any</to-interface> </entry> </rules> </nat>

Recommended For You