To connect mobile users in mainland China to Prisma
Access, you start by selecting regions in Alibaba Cloud—one region
in mainland China and one region outside of mainland China—and create
one VPC in each region. You set up the connectivity between the
two VPCs over the CEN and create either a service connection or
a remote network connection between
Prisma Access and a router in the VPC outside of mainland China
(Router 2 and VPC 2 in the following figure).
You also deploy a VM-series next-generation firewall in the VPC
that is in the compute region in mainland China (VPC 1 in the following
figure) and configure it as a GlobalProtect gateway.
This gateway terminates the GlobalProtect tunnels for mobile users
in China.
This deployment allows you to enforce security policies on the
GlobalProtect gateway in China for internet-bound traffic. The following
figure provides a high-level overview.
The following list provides you with a high-level overview of
the tasks you perform to create a deployment to secure mobile users
in mainland China. This document takes you through each of these
list items in detail.
Complete real-name registration and
configure and purchase bandwidth for Alibaba Cloud Express Connect
(CEN).
Create two VPCs, one in two separate regions in Alibaba cloud.
Configure
one VPC in mainland China. Refer to the Alibaba Cloud website for
a list of available regions. Configure the second VPC outside mainland
China, close to a Prisma Access location.
You must use IKEv2 with NAT-T and
dynamic IP addresses for the IPSec tunnel on Prisma Access.
Acquire one elastic IP address in the VPC in mainland China
(VPC 1).
Deploy a VM-series firewall (either a VM-300 or VM-500 model instance)
or a next-generation firewall to use as Router 1 in
the VPC located in China, configure it as a GlobalProtect gateway,
add this gateway to Prisma Access’ GlobalProtect portal, and configure
a VM-series firewall to establish an IPSec site-to-site tunnel to
the private IP address of Router 2.
Deploy a Linux instance in the VPC outside China (VPC 2)
on Alibaba Cloud, configure an Linux instance as a NAT enabled router,
to be used as Router 2, and configure Router
2 to forward IPSec tunnel packets to the Prisma Access service connection.
Specify the traffic to route through the Prisma Access service
connection or remote network connection, depending on the type of
connection you created.