Learn how to deploy the Terraform template to enable Prisma AIRS: Network intercept protection on AWS cloud resources.
In this page, you will configure Prisma AIRS AI Runtime:
Network intercept in Strata Cloud Manager, download the corresponding Terraform
template, and deploy it in your cloud environment. This setup will integrate the
network intercept in your cloud network architecture, enabling comprehensive
monitoring and protection of your assets.
After onboarding the cloud account, the Strata Cloud Manager command
center dashboard will show asset discovery with no firewall protection deployed.
Unprotected traffic paths to and from apps, models, and the internet are marked in
red until you add firewall protection. For more details, see Discover Your Cloud Resources.
Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: Network intercept.
Select Add Protections ("+" icon).
Select Cloud Service Provider as AWS and choose Next.
In Firewall Placement, select:
All traffic to protect AI and non-AI applications. This traffic
can only be insptected by Prisma AIRS AI Runtime:
Network intercept.
Non AI traffic only to protect all traffic except the traffic
between your applications and the AI models. This traffic can be
inspected by both Prisma AIRS AI Runtime: Network
intercept and VM-Series firewall.
Select Next.
In Regions & Application(s):
Select your cloud account to secure.
Select a region in which you want to protect the
applications.
In Selected applications, select the applications to secure from
the available list.
The available applications are
determined by the application definition criteria you configured
during cloud account
onboarding in the “Application Definition”
step.
In GWLB Endpoint CIDR & Zone Pair, enter the zone and CIDR IP
range.
Select all applicable zones from the available list to secure
traffic for each application. (This should be the zone in which you want
to create the GWLB endpoint).
For each cluster, enter the CIDR IP address of the available
(unused) subnet within your application VPC.
The GWLB endpoints will
be created in this CIDR IP address. (Go to AWS management console,
select your application VPC name, and record the IPV4 CIDR address
range. Ensure to include the CIDR for the GWLB endpoint to be
created only within this IPV4 CIDR range within your subnet
Configure Traffic Inspection (to protect your clusters at
namespace-level only):
Traffic steering inspection is available only when you select namespaces from
the applications list. Select the namespace and configure how to handle
traffic from specific network segments (Limit to 10 CIDRs per cluster that
can be inspected or bypassed at any time):
Inspect certain CIDRs: Only inspect traffic from specified
subnet ranges.
Bypass certain CIDRs: Exclude traffic from specified subnet
ranges from inspection.
For
container applications, all traffic to and from the applications
is protected by default. Use traffic inspection options only
when you need granular control over which network segments are
inspected or bypassed.
When protecting traffic from
namespaces using traffic inspection, select only the
namespace and not its parent VPC to avoid deployment
failures. The same GWLB endpoint cannot be used for both
VPC and namespace-level protection in the same
zone.
Select the Undiscovered VPC(s) tab and click Add VPC.
Enter the following configurations:
VPC ID.
Cluster ID.
CIDR ranges to be inspected in the Inspect certain CIDRs
field.
CIDR ranges to be bypassed in the Bypass certain CIDRs
field.
In Zone and other info:
Select a zone from the available list.
GWLB endpoint CIDR. (In the AWS console, go to VPC >
Endpoints. Select your GWLB endpoint > Details tab >
Subnet field and copy the CIDR).
VPC VM subnet IDs. (Navigate to VPC >
Subnets in the AWS console. Select your subnet and
copy the subnet ID from the details panel).
Click Setup for a new zone to configure these values for
another zone.
Select Submit.
Select Next.
In Protection Settings:
The minimum vCPUs required is
4.
In the Deployment parameters, select AI Runtime Security
or VM-Series firewall type based on the type of traffic you
decided to protect in the Firewall Placement step.
Enter the number of firewalls to deploy.
Select zones to deploy firewalls from the available zones.
Ensure the firewall zones cover all selected
application zones you selected for each application under
Selected applications. For example, in the AWS region
us-west-1, if App1 uses ZoneA and ZoneE, and App2 uses ZoneB and
ZoneD, the firewall must include ZoneA, ZoneB, ZoneD, and ZoneE.
This ensures that when Terraform creates the GWLB service, all
corresponding zones are covered.
Choose the instance type for the security VM (See Amazon EC2 instance types for the
supported instance types).
Configure the following:
IP addressing scheme
Licensing
Management parameters
Configure the following fields:
CIDR for security VPC: Enter the CIDR IP
address of an unused VPC. (Go to AWS Management
Console > VPC, select your VPC, and get
the CIDR for your VPC).
In Create transit gateway, select:
No: If you choose No, then in
the Select transit gateway field, select
the existing TGW ID from the available
list. (Go to AWS Management
Console > VPC dashboard > Transit Gateways
to get the TGW ID).
Yes: If you choose Yes, you can
optionally enter the Autonomous system number
(ASN) for the new Transit Gateway. (Refer to create a transit
gateway for more information).
Update the VPC route table by mapping the TGW
attachment. This directs network traffic through
the Transit Gateway, facilitating connectivity
between Prisma AIRS AI
Runtime: Network intercept and other VPCs.
Enable Cross-Zone load balancing to
distribute incoming traffic evenly across targets
in multiple availability zones.
Enter the following values:
PAN OS version for your image from the
available list.
Flex authentication code (Copy AUTH CODE
for the deployment
profile you created for AI Runtime
Security: Network intercept in Customer Support
Portal).
Enable Deploy NAT Gateway to configure
egress traffic to exit from the security VPC
through security VPC IGW through a NAT gateway
(Enable this option to create a NAT gateway).
Enable Overlay Routing: Overlay routing,
when integrated with your Prisma AIRS AI Runtime: Network
intercept and the AWS Gateway Load Balancer
(GWLB), lets you use a two-zone policy to inspect
egress traffic from your AWS environment. This
allows packets to leave the Prisma AIRS firewall through a
different interface than the one they entered
through.
For a summary of different
configurations for handling egress traffic, refer
to the Egress Traffic Handling Scenarios on
AWS table.
This
feature is only supported on PAN-OS version
11.2.8 or later.
List CIDR ranges to be allowed access to the
management interface.
This table summarizes the different configurations for handling egress
traffic with Prisma AIRS on AWS, comparing the use of
overlay routing and NAT gateway.
Overlay Routing Enabled
Overlay Routing Disabled
Deploy NAT Gateway Disabled
Dual-arm architecture (eth1/1 &
eth1/2).
eth1/2 has a public IP.
Direct egress through eth1/2 to the
Internal Gateway (IGW).
Eliminates NAT gateway costs.
Single-arm architecture (only
eth1/1).
Deploy NAT Gateway Enabled
Dual-arm architecture (eth1/1 &
eth1/2).
eth1/2 is private (no public IP).
Egress through eth1/2 to the NAT
Gateway deployed in the security VPC.
Avoids public IP costs.
Single-arm architecture (only
eth1/1).
All traffic goes through the NAT gateway in the
security VPC.
Select Next.
In Review architecture:
Enter a unique Terraform template name. (Use only
lowercase letters, numbers, and hyphens. (Don't use a hyphen at
the beginning or end, and limit the name to under 19
characters).
Review the topology for your AI network architecture.
Click Create terraform template.
Click Download terraform template.
Close the deployment workflow to exit.
Before you deploy the Terraform template,
authenticate with the AWS Console. Go to the AWS Marketplace and
subscribe. Subscribe to the same image you will use for the AI network
intercept and the tag collector.
Unzip the downloaded file. Navigate to <unzipped-folder>
with 2 directories: `architecture` and `modules`. Deploy the Terraform templates
in your cloud environment following the `README.md` file in the `architecture`
folder.
Initialize and apply the Terraform for the security_project.
The security_project contains the Terraform plan to create the AI Runtime
Security: Network intercept
architecture.
cd architecture
cd security_project
terraform init
terraform plan
terraform apply
Run the application Terraform to peer the application VPCs.
cd ../application_project
terraform init
terraform plan
terraform apply
Applying the Terraform for the
application_project creates the GWLB endpoints in your
AWS account.
Configure Strata Cloud Manager or Panorama to secure VM workloads and
Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy,
routers, and security policy rules.
Navigate to Workflows→ NGFW Setup → Device Management. The Prisma AIRS: Network intercept appears under Cloud
Managed Devices.
Switch to the Cloud Managed Devices tab to view and
manage the connected state, the configuration sync state, and the deployed Prisma AIRS AI Runtime: Network intercept licenses.
It takes a while before the Device Status shows as
connected.
