VM-Series Deployment Guide
    : Prepare to Deploy the VM-Series Firewall on Alibaba Cloud
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on Alibaba Cloud
    5. Prepare to Deploy the VM-Series Firewall on Alibaba Cloud
    Download PDF

    VM-Series Deployment Guide

    Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

    Table of Contents
    End-of-Life (EoL)

    Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

    Complete preliminary tasks before creating the VPC and Networks.
    This task uses the Aliyun CLI to create a VPC and VSwitches for the VM-Series firewall, however, you should plan your network before you start. Evaluate the applications you want to protect, and determine where you will deploy the VM-Series firewall to secure north-south traffic. The firewall must be able to inspect traffic to and from your applications.

    Choose Licenses and Plan Networks

    Evaluate the applications you need to protect and create networks that permit the VM-Series firewall to inspect your inbound and outbound application traffic.
    1. Evaluate your applications and network configurations and calculate the firewall capacity you need to secure your applications and networks.
    2. Plan and design your VPC.
      1. Plan networks, including CIDR Blocks for your VPCs and VSwitches.
      2. Plan security groups.
    3. Obtain VM-Series firewall licenses.
      Although you do not need a license to install the VM-Series firewall (you can activate a license after the installation), you must choose an appropriate VM-Series model and ECS instance type before deploying the firewall.
      1. Choose a VM-Series model.
        The VM-Series firewall supports up to 8 interfaces, provided the VM-Series model and Alibaba Cloud instance have sufficient resources.
      2. Choose a VM-Series capacity license that meets your needs.
      3. Purchase a BYOL subscription bundle (if you do not already have one). You receive an auth code for your VM-Series subscription.
    4. Plan how to configure Alibaba accounts and permissions. If you do not have an account, see Alibaba Cloud Free Trial: How to Sign Up and Get Started.
    5. Obtain Alibaba Cloud licenses. Use the VM-Series model you have chosen to pick one of the Alibaba Cloud Instance Type Recommendations for the VM-Series Firewall.

    Create a Custom Image in the Alibaba Cloud Console

    The VM-Series firewall runs on KVM. You must use the VM-Series firewall qcow2 image file to create a custom image for Alibaba Cloud. To do this, upload the VM-Series qcow2 image file to an Object Storage Service bucket and create an Alibaba Cloud custom image.
    1. Obtain the VM-Series firewall qcow2 image file.
      1. Log in to the Palo Alto Networks Customer Support Portal (CSP) and register the VM-Series auth code. Create a Support Account.
      2. On the CSP, select UpdatesSoftware Updates and from the Filter By drop-down menu, choose Pan OS for VM-Series KVM Base Image and locate the qcow2 file for the current version.
      3. Download the qcow2 file to your local drive. For example, PA-VM-KVM-9.1.0.qcow2.
    2. Create a bucket for the VM-Series image.
      1. On the Alibaba Cloud Console home page, select Object Storage Service (OSS).
      2. Click Create Bucket on the right towards the upper right, or choose an existing bucket.
      3. Specify name and region.
        The bucket must be in the same region as the VPC in which you plan to deploy the VM-Series firewall.
      4. Click OK.
    3. Upload the qcow2 image file to your bucket.
      1. Select your bucket, choose FilesUpload, and click here to upload.
      2. Select the qcow2 image file on your local drive.
    4. Copy the OSS address object (the file URL).
      In your bucket, select the row for the qcow2 image file, and in the Action column select MoreCopy File URL, and click Copy.
    5. Import the VM-Series firewall image into ECS.
      1. On the Alibaba Cloud console home page, select Elastic Compute Service.
      2. Select Images and click Import Image on the upper right.
      3. Paste in the OSS object address, fill out the form, and click OK.
        Your image appears in Elastic Compute Services Images list.

    Prepare to Use the Aliyun Command Line Interface

    Everything you do in the ECS Console can be done from the Aliyun command line interface. The CLI is required if you want to use the VM-Series firewall to secure load balancing on Alibaba Cloud.
    Install and configure a recent version of Aliyun, the Alibaba Cloud command line interface.
    1. Create an AccessKey and save the Access Key ID and Secret in a secure place.
    2. Download a supported version of Aliyun from https://github.com/aliyun/aliyun-cli.
    3. Install Aliyun.
    4. Configure Aliyun.
      The configuration prompts you for your Access Key information and other information.
      The region must match the region for the bucket that contains the qcow2 file in Create a Custom Image in the Alibaba Cloud Console.
      aliyun configure 
Configuring profile '' in '' authenticate mode... 
Access Key Id [*************8rq]: *************8rq 
Access Key Secret [***************************tM2]: 
***************************tM2 
Default Region Id [us-west-1]: us-west-1
Default Output Format [json]: json (Only support json))
Default Language [zh|en] en: en 
Saving profile[] ...Done. 
 available regions: 
...

    © 2025 Palo Alto Networks, Inc. All rights reserved.