>
    Strata Copilot
    Secure North-South Traffic on Alibaba Cloud
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Alibaba Cloud
    4. Deploy the VM-Series Firewall on Alibaba Cloud
    5. Secure North-South Traffic on Alibaba Cloud
    Download PDF
    VM-Series

    Secure North-South Traffic on Alibaba Cloud

    Table of Contents

    Secure North-South Traffic on Alibaba Cloud

    Learn how to use vSwitches to segment your VPN into subnets.
    Where Can I Use This?What Do I Need?
    • Alibaba Cloud International Regions subscription
    • Alibaba Cloud Mainland China subscription
    • VM-Series License (BYOL)
    • VM-Series plugin
    • Panorama
    After creating a VPC, you can create vSwitches to segment your virtual private network into subnets. This sample features a VPC with CIDR 192.168.0.0/16; you can enter your own values. Four vSwitches create four subnets.
    vSwitch NameInterfaceSample CIDR
    mgmteth0192.168.0.0/24
    untrusteth1192.168.1.0/24
    webeth2192.168.2.0/24
    dbeth3192.168.3.0/24
    In the following diagram, the VM-Series firewall connects to two trusted subnets, web and db. Inbound traffic is initiated when an external client accesses the VM-Series firewall’s Untrust interface. The firewall inspects the traffic and sends it to an application. For example, the firewall sends traffic to a Web server through the Trust interface. The traffic returning from the Web server must hit the VM-Series firewall’s Trust interface. The firewall inspects the return traffic flow, and sends it out through the Untrust interface.
    To secure inbound traffic, both DNAT and SNAT must be configured on the firewall.
    1. Create NAT rules for inbound traffic.
      Here’s a sample of the NAT rules for inbound traffic protection.
                 <nat>
              <rules>
                <entry name="inbound_web">
                  <source-translation>
                    <dynamic-ip-and-port>
                      <interface-address>
                        <interface>ethernet1/2</interface>
                      </interface-address>
                    </dynamic-ip-and-port> 
                 </source-translation>
                  <destination-translation>
                    <translated-address>web_server</translated-address>
                  </destination-translation>
                  <to>
                    <member>untrust</member>
                  </to>
                  <from>
                    <member>any</member>
                  </from>
                  <source>
                   <member>any</member>
                  </source>
                  <destination>
                    <member>fw_untrust</member>
                  </destination>
                  <service>any</service>
                  <to-interface>ethernet1/1</to-interface>
                </entry>
              </rules>
            </nat>

        <address>
            <entry name="fw_untrust">
              <ip-netmask>192.168.1.4</ip-netmask>
            </entry>
            <entry name="fw_trust">
              <ip-netmask>192.168.2.201</ip-netmask>
            </entry>
            <entry name="web_server">
              <ip-netmask>192.168.2.203</ip-netmask>
            </entry>
        </address>
    2. Secure outbound traffic.
      As shown in the diagram above, an application initiates the outbound traffic. For example, a web server must run yum install to update rpm packages. Typically the internet facing traffic within a VPC is routed to a NAT gateway (with an EIP attached). To secure outbound traffic, you must force outbound traffic to go through the VM-Series firewall.
      1. Add a default gateway route in the VPC routing table with firewall IP in the subnet of the web server as the next hop.
      2. View your entry in the route table.
      3. Configure SNAT rules using the Untrust interface IP to ensure traffic returning from the internet goes through the VM-Series firewall.
        Here's a sample SNAT configuration.
                    <nat>              
              <rules>
                <entry name="outbound_web">
                  <source-translation>
                    <dynamic-ip-and-port>
                      <interface-address>
                        <interface>ethernet1/1</interface>
                      </interface-address>
                    </dynamic-ip-and-port>
                  </source-translation>
                  <to>
                    <member>untrust</member>
                  </to>
                  <from>
                    <member>trust</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <service>any</service>
                  <to-interface>any</to-interface>
                </entry>
              </rules>
           </nat>

    © 2026 Palo Alto Networks, Inc. All rights reserved.