Onboard Azure Cloud Account in Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. Navigate to Insights → Prisma AIRS→ Prisma AIRS AI Runtime: Network Intercept. (If you are onboarding for the first time, click Get Started.
3. If you have previously onboarded a cloud account; from the top right corner, click the Cloud Account Manager (cloud) icon.

4. Select Add Cloud Account.
5. Select Cloud Service Provider as Azure and select Next.

6. Enter basic information:

   • A unique Name to identify your onboarded cloud account. (Limit the name to 32 characters).
   • Azure Tenant ID.
   • Azure Subscription ID.

   Refer to the section on how to get subscription and tenant IDs in the Azure portal.

   To discover Kubernetes-related clusters when the container workloads are identified by the "Cluster Name" application definition method, enable "Bring your own Azure virtual network."

   Follow these steps in the Azure portal:

   1. Navigate to Kubernetes services → [Your Cluster]→ Settings→ Networking.
   2. Under Network configuration, select Azure CNI Overlay as the Network plugin.
   3. Enable Bring your own Azure virtual network.

7. Click Next.
8. In Application Definition, configure how your assets will be grouped for discovery.

   Enhanced application definition options provide granular boundary criteria using workload-specific methods such as tags, subnets, and namespaces that align with your application deployment patterns and business logic.

   1. Your selected application boundaries determine which applications appear in the deployment workflow. For all workload types, Prisma AIRS AI Runtime: Network intercept maps applications to their VPCs, and the firewall protects traffic at the VPC level. The namespace shows applications from Pods/Cluster workloads, while VPC/VNETs display applications from virtual machine workloads.
   2. For container workloads, regardless of the application definition method you select (namespace, cluster, or tag), please annotate all pods if you want to add protection with the Palo Alto Networks-specific label "paloaltonetworks.com/firewall": "pan-fw". This annotation is needed to secure the pods, in addition to defining the application boundaries.

   When using tag-based application boundaries, if your cloud provider allows tags with only keys (no values), you should use the application name as the tag key.

   Table: Workload-specific selection guide

   Workloads	Application Definition Method	Choose When
   Container Workloads (Default boundary: namespace)	Namespace Cluster Name Tag	Applications are separated by Kubernetes namespaces for logical isolation. Applications span multiple namespaces but remain within a single cluster. Applications require custom grouping based on business logic, regardless of infrastructure.
   Virtual Machines (Default boundary: VPC/VNET)	Subnet Name VPC/VNET Tag	VMs are organized by network segments that align with application boundaries. You prefer a broader network perimeter-based application grouping (default). Uses key-value pairs for business-context-driven application organization.
   Serverless Compute (Default boundary VPC/VNET)	Subnet Name VPC/VNET Tag	Functions are deployed in specific subnet boundaries within the application domain. You want to group all functions within the same network level using VPC/VNET boundaries. Uses key-value pairs for flexible business requirement-based grouping.

9. Input Storage Account Name (Enter only lowercase letters and numbers; the name must be between 3 and 24 characters).

   This is the storage account name that you created in the Azure Cloud Account Onboarding Prerequisites step.

10. Download Terraform.
11. Execute Terraform. Save and unzip the downloaded Terraform zip file.
12. Navigate to the panw-discovery-<tsgid>-onboarding/azr folder and follow the `README.md` instructions to apply the Terraform in Azure to create the resources and add the role assignments.

    #Login to the Azure tenant from CLI and replace the "Tenant_Id" with your tenant_id value
    az login -t <Tenant_Id>
    
    #Replace the value with your subscription_id that is being onboarded
    az account set -s <Subscription_id>
    
    #Deploy the Terraform
    terraform init
    terraform plan
    terraform apply
    

13. Log in to Azure Portal. Make sure you see the logs in Azure Storage Account → Data Storage → Containers → Insight flow logs and verify the date and hour.
14. Select Done.

    This validates the successful creation of a service account in Azure.
15. You can now view and manage the onboarded cloud accounts in Strata Cloud Manager.
16. To discover your protected and unprotected cloud assets, see the page on discovering your cloud resources.

    Initial data should populate on Strata Cloud Manager in about 15 minutes and the flow logs may have a delay of about 3 hrs to show up on the Strata Cloud Manager dashboard.

    Next, protect the network traffic flow by deploying Prisma AIRS AI Runtime: Network intercept or VM-Series firewall in Azure.