: Secure North-South Traffic on Alibaba Cloud
Focus
Focus

Secure North-South Traffic on Alibaba Cloud

Table of Contents
End-of-Life (EoL)

Secure North-South Traffic on Alibaba Cloud

Learn how to use VSwitches to segment your VPN into subnets.
After creating a VPC, you can create VSwitches to segment your virtual private network into subnets. This sample features a VPC with CIDR 192.168.0.0/16; you can enter your own values. Four VSwitches create four subnets.
VSwitch NameInterfaceSample CIDR
mgmteth0192.168.0.0/24
untrusteth1192.168.1.0/24
webeth2192.168.2.0/24
dbeth3192.168.3.0/24
In the following diagram, the VM-Series firewall connects to two trusted subnets, web and db. Inbound traffic is initiated when an external client accesses the VM-Series firewall’s Untrust interface. The firewall inspects the traffic and sends it to an application. For example, the firewall sends traffic to a Web server through the Trust interface. The traffic returning from the Web server must hit the VM-Series firewall’s Trust interface. The firewall inspects the return traffic flow, and sends it out through the Untrust interface.
To secure inbound traffic, both DNAT and SNAT must be configured on the firewall.
  1. Create NAT rules for inbound traffic.
    Here’s a sample of the NAT rules for inbound traffic protection.
               <nat>
                  <rules>
                    <entry name="inbound_web">
                      <source-translation>
                        <dynamic-ip-and-port>
                          <interface-address>
                            <interface>ethernet1/2</interface>
                          </interface-address>
                        </dynamic-ip-and-port> 
                     </source-translation>
                      <destination-translation>
                        <translated-address>web_server</translated-address>
                      </destination-translation>
                      <to>
                        <member>untrust</member>
                      </to>
                      <from>
                        <member>any</member>
                      </from>
                      <source>
                       <member>any</member>
                      </source>
                      <destination>
                        <member>fw_untrust</member>
                      </destination>
                      <service>any</service>
                      <to-interface>ethernet1/1</to-interface>
                    </entry>
                  </rules>
                </nat>
    
            <address>
                <entry name="fw_untrust">
                  <ip-netmask>192.168.1.4</ip-netmask>
                </entry>
                <entry name="fw_trust">
                  <ip-netmask>192.168.2.201</ip-netmask>
                </entry>
                <entry name="web_server">
                  <ip-netmask>192.168.2.203</ip-netmask>
                </entry>
            </address>
  2. Secure outbound traffic.
    As shown in the diagram above, an application initiates the outbound traffic. For example, a web server must run yum install to update rpm packages. Typically the internet facing traffic within a VPC is routed to a NAT gateway (with an EIP attached). To secure outbound traffic, you must force outbound traffic to go through the VM-Series firewall.
    1. Add a default gateway route in the VPC routing table with firewall IP in the subnet of the web server as the next hop.
    2. View your entry in the route table.
    3. Configure SNAT rules using the Untrust interface IP to ensure traffic returning from the internet goes through the VM-Series firewall.
      Here's a sample SNAT configuration.
                  <nat>              
                    <rules>
                      <entry name="outbound_web">
                        <source-translation>
                          <dynamic-ip-and-port>
                            <interface-address>
                              <interface>ethernet1/1</interface>
                            </interface-address>
                          </dynamic-ip-and-port>
                        </source-translation>
                        <to>
                          <member>untrust</member>
                        </to>
                        <from>
                          <member>trust</member>
                        </from>
                        <source>
                          <member>any</member>
                        </source>
                        <destination>
                          <member>any</member>
                        </destination>
                        <service>any</service>
                        <to-interface>any</to-interface>
                      </entry>
                    </rules>
                 </nat>