Deploying the VM-Series firewall on Alibaba Cloud protects networks you create within Alibaba Cloud. You can deploy VM-Series firewalls to secure inbound and outbound north-south traffic in internet facing applications and hybrid cloud deployments.

The VM-Seriesfirewall on Alibaba Cloud runs on the KVM hypervisor and supports up to 8 network interfaces when you select an Alibaba Cloud instance with sufficient resources (see Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud).

The VM-Series firewall on Alibaba Cloud supports BYOL licensing and the VM-Series ELA on Alibaba Cloud International Regions and Mainland China. PAYG licensing is not currently supported.

In Alibaba Cloud, your VPC logically isolates your virtual network. After creating a VPC, you can create VSwitches to further segment your virtual private network, as shown in the following diagram. To secure inbound traffic, both DNAT and SNAT must be configured on the firewall.

Inbound traffic originates from a client outside of your VPC going to the VM-Series firewall untrust interface. The firewall inspects the traffic and sends it to an application through the trust interface. Traffic returning from the application must travel through the VM-Series firewall trust interface, which inspects the return traffic flow and sends it out through the untrust interface.

Outbound traffic typically originates from an external application. Typically you route the internet facing traffic within a VPC to a NAT gateway (with EIP attached). To do this, add a default gateway route in the VPC routing table, with the VM-Series firewall IP address of the application subnet as the next hop. Configure SNAT using the untrust interface IP to ensure traffic originating from the internet returns through the VM-Series firewall.

Refer to Secure North-South Traffic on Alibaba Cloud for a sample configuration.