VM-series firewalls can be deployed on Alibaba Cloud to protect Internet-facing applications as well as outbound connectivity from VMs deployed on Alibaba Cloud. Inter-VPC communications can also be protected by deploying VM-Series firewalls in an architecture that is similar to the Transit VPC architecture on AWS. Check out Palo Alto Networks' VM-Series Deployment Guide to learn how to set up the VM-Series Firewall on Alibaba Cloud.
Recently, Alibaba Cloud released a feature calledCloud Enterprise Network - Transit Router (CEN-TR). This feature is similar to AWS’ Transit Gateway. It allows VM-Series to be deployed in a Security VPC to inspect inbound traffic to spoke VPCs attached to it, outbound traffic from spoke VPCs, and East/West traffic between spoke VPCs.
CEN-TR Deployment Architecture
As shown in the diagram below, the CEN-TR is connected to spoke1-VPC via attachment TR-att-1, spoke2-VPC via attachment TR-att-2 and Security-VPC via attachment TR-att-3.
CEN-TR Deployment Architecture
Route tables in the spoke VPCs (Spoke1-RT and Spoke2-RT) are used to route traffic in the spoke VPCs to the CEN-TR via the respective attachments. The attachments from the spoke VPCs are associated with the “CEN-TR-Spoke-RT” route table in the CEN-TR. This route table will route all traffic to the Security-VPC via the attachment TR-att-3.
The route table in the Security-VPC that is associated with the Trust subnet (Trust-RT) is used to route all traffic to the Spoke VPCs to the CEN-TR via the attachment TR-att-3. The route table in the Security-VPC that is associated with the CEN-TR subnet (TR-Subnet-RT) is used to route all traffic coming from the CEN-TR to the Trust ENI of the VM-Series firewall. The attachment TR-att-3 from the Security-VPC is associated with the “CEN-TR-Security-RT” route table in the CEN-TR. This route table will route traffic to the respective spoke VPCs.
As you can see, this is similar to how the AWS Transit Gateway works. One major difference is that only the VPC attachment is supported by CEN-TR. Having an IPSec tunnel from a VM-Series firewall to the CEN-TR is not supported.
In this test, a single AZ is used to show how CEN-TR works. For multiple AZs, CEN-TR can be used together with other VM-Series firewall deployment scenarios to achieve HA. Examples includeAlicloud_VM_HAandAlicloud_LB_Sandwich.
From the Alibaba Cloud portal, go to Cloud Enterprise Network to create a CEN instance.
Once the CEN instance has been created, click on the CEN instance to access the instance details. From the instance details page, create a Transit Router.
After the Transit Router has been created, click on the newly created transit-router instance to access its details.
Next, create the attachments to all three VPCs. To create an attachment, go to the “Intra-region Connections” tab. Click on "Create Connection." Enter the region, select the AZ, provide a name for the attachment, and choose the VPC to connect to. Under the advanced settings, uncheck all options.
Now you're ready to create the Transit Router route tables; go to the “Route Table” tab and click “Create Route Table.” Create two route tables: Spoke-RT and Security-RT.
After the CEN-TR route tables are created, associate the route tables with the attachments created earlier. Go to the “Route Table Association” tab and click on "Add Association." For Spoke-RT, associate it with the spoke VPC attachments (i.e. TR-Att-1 and TR-Att-2). For Security-RT, associate it with the security VPC attachment (i.e. TR-Att-3).
Next, add route entries into the CEN-TR route tables. For Spoke-RT, go to the “Route Entry” tab and click on “Add Route Entry” to add a static default route to point to attachment TR-att-3 (i.e. the next-hop is the Security-VPC).
Similarly for the Security-RT, static routes are added. Instead of a default route, the spoke VPC routes are added.
VPC Route Tables
From the Alibaba Cloud portal, go to VPC → Route Tables to create VPC route tables. Create the four route tables (Spoke1-RT, Spoke2-RT, Trust-RT, and TR-Subnet-RT) as mentioned earlier in the document, and add the appropriate custom route entries to the route tables. After that, associate the appropriate vSwitch to the route tables.
As an example, for the Trust-RT in the Security VPC, it has a custom route to the spoke VPC with a next-hop to attachment TR-Att-3, and it is associated with the Trust subnet in the Security-VPC.
EIP For Outbound Internet Access
For outbound traffic to the Internet, an Elastic IP Address (EIP) can be attached to the Untrust interface of the VM-Series firewall, or a NAT Gateway can be used. In this test, an Elastic IP Address (EIP) is attached to the Untrust interface of the VM-Series firewall.
VM-Series Firewall Configuration
The Untrust and Trust interfaces of the VM-Series firewall are configured to use DHCP client, with the Untrust interface configured to “Automatically create default route pointing to default gateway provided by server."
A static route to the spoke VPCs is added to the VM-Series firewall.
NAT rules are configured for Inbound and Outbound traffic.
For Outbound traffic, the SNAT rule will match the source addresses of the servers in the spoke VPCs. The source address will then be SNAT to the private IP address of the Untrust interface.
For Inbound traffic, the NAT rules are similar to those used for the LB sandwich design. The NAT rules will have a destination address match on the private IP address of the Untrust interface of the VM-Series firewall as well as the TCP port. Traffic will be forwarded to the spoke1 web server or spoke2 web server depending on the TCP port of the traffic.
Security policies are configured to allow inbound, outbound and east/west traffic.
Testing Inbound Traffic
The web server can be accessed via the EIP and TCP port. As can be seen from the following figures, the client can successfully access the web servers in Spoke1-VPC and Spoke2-VPC.
The firewall logs show these inbound sessions.
Testing Outbound Traffic
Accessing the Internet from the servers in Spoke1-VPC and Spoke2-VPC is successful. The source IP address is detected to be the EIP.
The firewall logs show these outbound sessions.
Testing East/West Traffic
Accessing the server in Spoke2-VPC from the server in Spoke1-VPC is successful.
The firewall log shows the east/west session.
In conclusion, with CEN-TR, VM-Series firewalls can be deployed in a Security VPC to protect inbound, outbound and east/west traffic between a large number of VPCs on Alibaba Cloud.