Onboard GCP Cloud Account in Strata Cloud Manager
Focus
Focus
Prisma AIRS

Onboard GCP Cloud Account in Strata Cloud Manager

Table of Contents

Onboard GCP Cloud Account in Strata Cloud Manager

Onboard your GCP cloud account in Strata Cloud Manager.
Where Can I Use This?What Do I Need?
Onboard GCP cloud account in Strata Cloud Manager. Create and download an onboarding Terraform template. When you apply this template in your cloud environment, it generates a service account with sufficient permissions. These permissions enable discovery within your cloud environment, allowing Prisma AIRS AI Runtime: Network intercept or VM-Series firewall to access the network flow logs, asset inventory details, and other essential cloud resources.
  1. Navigate to Insights → Prisma AIRS→ Prisma AIRS AI Runtime: Network Intercept. (If you are onboarding for the first time, click Get Started.
  2. If you have previously onboarded a cloud account; from the top right corner, click the Cloud Account Manager (cloud) icon.
  3. Select Cloud Service Provider as GCP and select Next.
  4. Enter basic information:
    • A unique Name to identify your onboarded cloud account (Limit the name to 32 characters).
    • The GCP Project ID.
    • Input (Storage) Bucket Name you created in the Create a Cloud Storage Bucket prerequisite step.
    Select Next.
  5. In Application Definition, configure how your assets will be grouped for discovery.
    Enhanced application definition options provide granular boundary criteria using workload-specific methods such as tags, subnets, and namespaces that align with your application deployment patterns and business logic.
    1. Your selected application boundaries determine which applications appear in the deployment workflow. For all workload types, Prisma AIRS AI Runtime: Network intercept maps applications to their VPCs, and the firewall protects traffic at the VPC level. The namespace shows applications from Pods/Cluster workloads, while VPC/VNETs display applications from virtual machine workloads.
    2. For container workloads, regardless of the application definition method you select (namespace, cluster, or tag), please annotate all pods if you want to add protection with the Palo Alto Networks-specific label "paloaltonetworks.com/firewall": "pan-fw". This annotation is needed to secure the pods, in addition to defining the application boundaries.
    When using tag-based application boundaries, if your cloud provider allows tags with only keys (no values), you should use the application name as the tag key.
    Table: Workload-specific selection guide
    Container WorkloadsApplication Definition MethodChoose When
    Container Workloads
    (Default boundary: namespace)
    • Namespace
    • Cluster Name
    • Tag
    • Applications are separated by Kubernetes namespaces for logical isolation.
    • Applications span multiple namespaces but remain within a single cluster.
    • Applications require custom grouping based on business logic, regardless of infrastructure.
    Virtual Machines
    (Default boundary: VPC/VNET)
    • Subnet Name
    • VPC/VNET
    • Tag
    • VMs are organized by network segments that align with application boundaries.
    • You prefer a broader network perimeter-based application grouping (default).
    • Uses key-value pairs for business-context-driven application organization.
    Serverless Compute
    (Default boundary VPC/VNET)
    • Subnet Name
    • VPC/VNET
    • Tag
    • Functions are deployed in specific subnet boundaries within the application domain.
    • You want to group all functions within the same network level using VPC/VNET boundaries.
    • Uses key-value pairs for flexible business requirement-based grouping.
  6. select Next.
  7. Input Service Account Name (Enter only lowercase letters and numbers; the name must be between 3 and 24 characters).
  8. Download Terraform.
    Use one service account per project.
  9. Execute Terraform. Unzip the downloaded Terraform zip file and follow the `README.md` file for instructions on deploying Prisma AIRS AI Runtime: Network intercept Terraform in your cloud environment.
    cd <unzipped-folder>/gcp //Change directory to the Terraform plan #Deploy the Terraform terraform init terraform plan terraform apply
    Provide the required IAM Permissions to the user executing the Terraform template.
    Once the `terraform apply` command completes, the following output is displayed:
    Apply complete! Resources: 19 added, 0 changed, 0 destroyed. Outputs: service_account_email = "panw-discovery-****@PROJECT_ID.iam.gserviceaccount.com"
    After executing Terraform, deploy services to your GKE cluster. For detailed instructions, see Deploy an application to a GKE cluster.
  10. Select Done.
    It may take about 10 seconds before you can click on the “Done” button. This brief pause ensures all background processes complete successfully. This validates the successful creation of a service account in GCP.
    After successfully connecting to the cloud service provider with the specified service account, the Prisma AIRS AI Runtime: Network intercept gathers cloud VM and Kubernetes workload IP-tags from the Edge Service and tag collector, respectively. This discovery process can take up to 15 minutes before assets appear on the Strata Cloud Manager command center dashboard.
  11. You can now view and manage the onboarded cloud accounts in Strata Cloud Manager.
  12. To discover your protected and unprotected cloud assets, see the page on discovering your cloud resources.
    Next, protect the network traffic flow by deploying Prisma AIRS AI Runtime: Network in GCP or VM-Series firewall.