Post

Alibaba Cloud

Posted
By Kadek Sena Perdiana 2 min read

Alibaba Cloud is a comprehensive cloud computing platform provided by Alibaba Group that offers a wide range of services, including elastic compute, storage, networking, security, and artificial intelligence. In this lab, we will deploy a FortiGate firewall virtual appliance using a custom image within the Alibaba Cloud environment. We will configure multiple network interfaces and implement route control to ensure that all traffic from an internal Linux host is inspected by the firewall before reaching the internet.

x


Creating Image

Here we access the Alibaba Cloud Console

x


We will upload our own custom image to deploy our fortigate firewall, to do that we will enable OSS and create a new Bucket

x


We name it helena-bucket and place it in region jakarta

x

x


Next we prepare the .qcow2 image that we download from fortinet’s site

x


Then we open the bucket that we just created and hit upload object

x


And upload the image file

x


After it uploaded, open the file and copy the Object URL

x


Go to ECS » Images, select Import Image

x


Here we hit next

x


And here we paste the Object URL and configure the image type

x

x


VPC

Next we will configure our networking, here we create a new VPC

x


Here we create helena-vpc with 2 vswitches, ext-vs (10.0.1.0/24) and int-vs (10.0.2.0/24)

x


While we’re at it, lets create a Security Group

x


We name it anyany-sg, and as the name suggests, this SG will allow any traffic coming and going anywhere

x


Deploying Instance

Next go to ECS » Instance, here we select Create Instance

x


We’ll be using PAYG billing method and Jakarta region, here we also select the VPC and the external vSwitch

x


Then select the CPU, Memory and Disk to suit the fortigate deployment, and select the forti-image that we created earlier

x


Select enable Public IP Address, select the ext-vs ENI, and use the Security Group that we also have created earlier

x


Now our Fortigate VM is up, but it still only has one interface

x


Go to Elastic Network Interfaces and select create ENI

x


Here we create ENI in int-vs

x


Back to our Instance, bind our Secondary ENI

x

x


Now we can connect to our fortigate via terminal

x


Or access it using the assigned public ip address

x

x


Routing Internal Traffic

In order for our internal traffic to go out to internet to pass our Fortigate, we will modify the routing table

x


Here we add a custom route to 0.0.0.0/0 and pass it to Foritgate’s internla ENI

x


Now we can see our int-vs has a default route going to fortigate

x


Next we spin up a small linux vm in the int-vs subnet

x


And this linux on 10.0.2.93 can ping fortigate and access the internet

x


Which we can verify by seeing the logs on the fortigate

x


Cloud, Alibaba Cloud
Alibaba
This post is licensed under CC BY 4.0 by the author.