Your customer doesn't have to install anything inside a VM. I thought more of a single VM as part of the server infrastructure that you put as a gateway/firewall between the internet and all of the clients VMs.
And you can configure suricata using the OPNsense webUI. There is also a checkbox to switch between intrusion detection and intrusion prevention mode. Suricata IDS as part of OPNsense is working fine here in a VM with 4GB RAM.