>
    Strata Copilot
    Deploy a Tag Collector Agent on Azure to Secure Private Clusters
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy a Tag Collector Agent on Azure to Secure Private Clusters
    Download PDF
    Prisma AIRS

    Deploy a Tag Collector Agent on Azure to Secure Private Clusters

    Table of Contents

    Deploy a Tag Collector Agent on Azure to Secure Private Clusters

    Learn to deploy a tag collector agent to secure private clusters with the Prisma AIRS AI Runtime Firewall.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Firewall
    • Azure
    To secure your private Kubernetes clusters in your Azure environment, you must deploy a Tag Collector Agent to collect IP-tag information. Complete the following procedure to deploy a Tag Collector Agent on Azure.
    Verify that you've completed the following prerequisites before deploying a tag collector.
    • An onboarded Azure account with the field Are the cluster workloads private? set to Yes. If you have already onboarded the Azure account, you must complete the onboarding workflow again with the above field set to Yes and execute the terraform again.
    • Administrative access to all cloud accounts involved in the deployment
    • Appropriate Azure roles and permissions for cross-account resource sharing
    • The tag collector requires network access to private cluster endpoints
    1. Log in to Strata Cloud Manager.
    2. Select AI SecurityAI Runtime Firewall.
    3. Click the plus icon in the upper right corner and select Add Agent Deployment.
    4. Select Azure as your cloud service provider and click Next.
    5. Enter a descriptive Name of the Agent Deployment.
    6. Select the Cloud Account and Cloud Region.
    7. Click Next.
    8. Enter the CIDR of the VPC where the Prisma AIRS will deploy the tag collector agent.
    9. If you need to access the tag collector VM, enter the CIDR range(s) from which the VM will be accessed.
    10. Enter one or more CIDR ranges to be Allowed Management Access.
    11. Select one or more cloud accounts that have private workloads from the Accounts to pull IP/Tags from drop-down.
    12. Enable or disable the Management IP Address.
    13. Enter your SSH Key.
    14. Enter the Device ID and Device PIN Value.
    15. Select an SCM folder with which to associate the tag collector.
    16. Select the PAN-OS Software Version for the tag collector.
    17. Select an VM instance to house the tag collector agent from the VM Size drop-down.
    18. Enter your Authcode and click Next.
    19. Enter a descriptive Terraform Template Name and download the terraform template .zip file.
    20. Execute Terraform. Save and unzip the downloaded Terraform zip file. Navigate to `panw-discovery-10xxxx684868-onboarding/aws` and follow the `README.md` instructions to apply the Terraform in AWS to create the resources and add the role assignments.

    Execute the Tag Collecter Agent Terraform

    After downloading and extracting the tag collector agent terraform template, you must deploy it in your Azure environment. The tag collector architecture folder has two subdirectories—tc_project and tc_peer_project. You must manually add private cluster details to the tc_project terraform.tfvars file
    cd architecture

tc_project
tc_peer_project
    1. Modify the tc_project terraform.tfvars file for peering the private clusters.
      You need to add your private cluster ID, name, resource group name,. The private cluster ID must include the path in the following format:
      /subscriptions/<sub-id>/resourceGroups/rg-name/providers/Microsoft.Network/virtualNetworks/<private-cluster>
      tc_resource_subscription_id = "<test-resource-sub-id>"
resource_group_name         = "test-template-Resource-Group-1"

location    = "eastus"
name_prefix = "test-template-"
tags = {
  ManagedBy                        = "terraform"
  Product                          = "Palo Alto Networks AI Runtime Security"
  "paloaltonetworks.com-managedby" = "cloud"
  "paloaltonetworks.com-mode"      = "Tag Collector Agent"
  "paloaltonetworks.com-occupied"  = "6ZO1m-zvR"
  "paloaltonetworks.com-trust"     = "6ZO1m-zvR"
}

create_resource_group = false
vnets = {
  application-vnet = {
    create_virtual_network = false
    id                     = "<private-cluster-path-and-id>"
    name                   = "<private-cluster-name>"
    resource_group_name    = "<private-cluster-resource-group-name>"
    tc_resource_group_name = "test-template-Resource-Group-1"
    tc_vnet_id             = "/subscriptions/<sub-id>/resourceGroups/test-template-Resource-Group-1/providers/Microsoft.Network/virtualNetworks/test-template-tag-collector-vnet"
    tc_vnet_name           = "test-template-tag-collector-vnet"
  }
}
    2. Add the application VNet details for each private cluster to the terraform.tfvars file.
      application-vnet = {
    id                     = "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Network/virtualNetworks/<app-vnet-name>"
    name                   = "<app-vnet-name>"
    resource_group_name    = "<app-vnet-resource-group-name>"
    3. Update the private_cluster_dns_tc_peering block for each private cluster. Add cluster1 (increment the number for each cluster), the resource group name, and private DNS name for each cluster The following example shows the addition of one private cluster.
      
private_cluster_dns_tc_peering = {
  clusters_group_1 = {
    clusters = {
       cluster1 = {
          resource_group_name = "<private-cluster1-rg-name>"
          private_dns_name  = "<private-dns-name>"
        }
        cluster2 = {
          resource_group_name = "<private-cluster2-rg-name>"
          private_dns_name  = "<private-dns-name>"
        }
    }
    tag_collector_vnet_id = "/subscriptions/<sub-id>/resourceGroups/test-template-Resource-Group-1/providers/Microsoft.Network/virtualNetworks/test-template-tag-collector-vnet"
  }
}
    4. Initialize and apply the Terraform for the Tag Collector agent.

    © 2026 Palo Alto Networks, Inc. All rights reserved.