>
    Strata Copilot
    Configure Load Balancing on Alibaba Cloud
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Alibaba Cloud
    4. Deploy the VM-Series Firewall on Alibaba Cloud
    5. Configure Load Balancing on Alibaba Cloud
    Download PDF
    VM-Series

    Configure Load Balancing on Alibaba Cloud

    Table of Contents

    Configure Load Balancing on Alibaba Cloud

    Use the Alibaba CLI to add ENIs to the Alibaba SLB.
    Where Can I Use This?What Do I Need?
    • Alibaba Cloud International Regions subscription
    • Alibaba Cloud Mainland China subscription
    • VM-Series License (BYOL)
    • VM-Series plugin
    • Panorama
    On Alibaba Cloud, you can deploy the VM-Series firewall in a load balancer sandwich configuration where the firewall is deployed between a public network and a private network, as shown below.
    In Create a VPC and Configure Networks, you created Untrust and Trust ENIs and attached them to the VM-Series firewall instance as secondary ENIs.
    When you use the console to add multiple backend servers to Alibaba Server Load Balancer (SLB), the SLB sends traffic to the primary ENI of the next-hop backend servers. Because the primary ENI is the management interface, traffic must go to the Untrust interface (a secondary ENI) for inspection.
    To ensure that internet traffic goes to dataplane interfaces rather than the management interface, use the Alibaba CLI to attach the VM-Series firewall untrust ENIs to your SLB instance.
    You must install the Aliyun command line interface to use the following CLI commands.
    1. Create the public and private VPCs for a load balancer sandwich configuration, and deploy the VM-Series firewalls.
      The remaining steps are sample CLI commands you can adapt to your environment.
    2. Create the load balancer.
      slb CreateLoadBalancer --RegionId us-west-1 --LoadBalancerName wli-slb 
--VpcId vpc-rj91ry36ghwgc8cf2fr7z --LoadBalancerSpec slb.s1.small 
--AddressType internet --MasterZoneId us-west-1a 
--SlaveZoneId us-west-1b 
{
        "NetworkType": "classic",
        "LoadBalancerName": "**********",
        "Address": "***********,
        "ResourceGroupId": "rg-************ofi",
        "RequestId": "0B8BA2AA-E837-****-****-B82A8A1D5FBB",
        "AddressIPVersion": "ipv4",
        "LoadBalancerId": "lb-******************mvz",
        "VSwitchId": "",
        "VpcId": "vpc-*****************r7z"
}
    3. Add backend servers.
      Use the CLI to add interfaces one at a time. The order in which you add the interfaces determines which NIC receives the interface.
      aliyun slb AddBackendServers --LoadBalancerId lb-******************mvz
--BackendServers
'[
       {
              "ServerId":"eni-******************bzw",
              "Type":"eni","Weight":"100"
       }
]'
    4. Create an HTTP Listener that performs a health check.
      aliyun slb CreateLoadBalancerHTTPListener
--LoadBalancerId lb-******************mvz
--ListenerPort 80 --StickySession on
--HealthCheck on --HealthCheckURI '/'

    © 2026 Palo Alto Networks, Inc. All rights reserved.