>
    Deploy Prisma AIRS AI Runtime: Network Intercept in Azure
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Prisma AIRS AI Runtime: Network Intercept in Public Clouds
    5. Deploy Prisma AIRS AI Runtime: Network Intercept in Azure
    Download PDF
    Prisma AIRS

    Deploy Prisma AIRS AI Runtime: Network Intercept in Azure

    Table of Contents

    Deploy Prisma AIRS AI Runtime: Network Intercept in Azure

    Complete the deployment workflow in Strata Cloud Manager to generate the Prisma AIRS AI Runtime: Network intercept Terraform template.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime: Network intercept deployment in Azure
    In this section, you will configure Prisma AIRS AI Runtime: Network intercept in Strata Cloud Manager, download the corresponding Terraform template, and deploy it in your cloud environment. This setup will integrate the AI network intercept in your cloud network architecture, enabling comprehensive monitoring and protection of your assets.
    After onboarding the cloud account, the Strata Cloud Manager command center dashboard will show asset discovery with no firewall protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: Network intercept.
    3. Select Add Protections ("+" icon).
    4. Select Cloud Service Provider as Azure and select Next.
    5. In Firewall Placement, select one or more traffic flows to inspect.
      The following table shows the network traffic type that the Prisma AIRS AI Runtime: Network intercept or the VM-Series firewall can support:
      Traffic TypePrisma AIRS AI Runtime: Network interceptVM-Series
      AI Traffic - Traffic between your applications and AI Models
      Non-AI Traffic and namespaces (example, kube-system)
      Cluster Traffic
      Non-AI and non-cluster traffic
      When you select any namespace, the VM-Series firewall option becomes unavailable because only Prisma AIRS AI Runtime: Network intercept can secure these namespaces.
    6. Select Next.
    7. In Region & application(s):
      • Select your cloud account to secure from the onboarded cloud accounts list.
      • Select a region in which you want to protect the applications.
      • In Selected applications, select the applications to secure from the available list.
      This list includes application workloads such as namespaces or vNets. If you select the kube-system namespace, the VM-Series firewall option will be grayed out, as only Prisma AIRS AI Runtime: Network intercept can protect these namespaces.
      The available applications are determined by the application definition criteria you configured during cloud account onboarding in the “Application Definition” step.
    8. Configure Traffic Inspection (to protect your clusters at namespace-level only):
      Traffic steering inspection is available only when you select namespaces from the applications list. Select the namespace and configure how to handle traffic from specific network segments (Limit to 10 CIDRs per cluster that can be inspected or bypassed at any time):
      • Inspect certain CIDRs: Only inspect traffic from specified subnet ranges.
      • Bypass certain CIDRs: Exclude traffic from specified subnet ranges from inspection.
        For container applications, all traffic to and from the applications is protected by default. Use traffic inspection options only when you need granular control over which network segments are inspected or bypassed.
        When protecting traffic from namespaces using traffic inspection, select only the namespace and not its parent VPC to avoid deployment failures. The same GWLB endpoint cannot be used for both VPC and namespace-level protection in the same zone.
    9. Select the Added vNet tab if you want to secure a vNet. Enter the following values:
      • Enter the vNet Name. Get the vNet name from Azure portalVirtual Networks page.
      • Enter the vNet CIDR. To view the vNet CIDR, go to the Azure portalVirtual networks and Select your virtual network. Under Settings, click on the Address space to view the CIDR block.
      • In Resource group name, enter the Azure Resource Group Name.
      • Cluster Id.
      • CIDR ranges to be inspected in the Inspect certain CIDRs field.
      • CIDR ranges to be bypassed in the Bypass certain CIDRs field.
      • Select Submit.
    10. In Protection Settings:
      1. In the Deployment parameters, select AI Runtime Security or VM-Series firewall type based on the type of traffic you decided to protect in the Firewall Placement step.
      2. Enter the number of firewalls to deploy.
      3. Select zones to deploy firewalls from the available zones.
      4. Choose the instance type for the security VM (See D-family size series - Azure Virtual Machines for details).
      5. Enter the Azure Resource group name.
    11. Configure the following:
      IP addressing schemeLicensingManagement parameters
      Enter the CIDR of Security vNet.
      Enter the following values:
      • PAN OS version for your image from the available list.
      • Flex authentication code (Copy AUTH CODE for the deployment profile you created for Prisma AIRS AI Runtime: Network intercept in Customer Support Portal).
      • Device Certificate PIN ID.
      • Device Certificate PIN value.
      In Management parameters, enter the following:
    12. Select Next.
    13. In the Review Architecture screen:
      • Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. (Don't use a hyphen at the beginning or end, and limit the name to under 19 characters).
      • Review the topology for your AI network architecture.
      • Click Create terraform template.
      • Click Download terraform template.
      • Close the deployment workflow to exit.
    14. Run the following commands in the Azure CLI to accept the Prisma AIRS AI Runtime: Network intercept subscription:
      
az vm image accept-terms --urn publisher:offer:sku:version

az vm image accept-terms --urn paloaltonetworks:airs-flex:airs-byol:version
      Get the version from the `vmseries_version` value in the Terraform file: `<azure-deployment-terraform-path>/architecture/security_project/terraform.tfvars`
    15. Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
    16. Initialize and apply the Terraform for the security_project.
      The security_project contains the Terraform plan to deploy the Prisma AIRS AI Runtime: Network intercept in your architecture.
      cd architecture

cd security_project
terraform init
terraform plan
terraform apply
      Note: After applying the Terraform, note the IP addresses from lbs_external_ips and lbs_internal_ips outputs. You will need these later while configuring Strata Cloud Manager.
      The `security_project` Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags are used to populate dynamic address groups (DAGs) for automated security enforcement. Refer to the section on Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules for details.
    17. Run the application Terraform to peer the application VNets with the security VNet.
      cd ../application_project
terraform init
terraform plan
terraform apply
      The security_project Terraform templates create the resources in the gray box.
      The application_project Terraform templates create the peering connections.
    18. The Azure deployment Terraform creates a route table. Use it to direct your outbound traffic to the firewall.
      Associate the route table created by the deployment Terraform with the subnet of your application to protect your resources and direct outbound traffic through the firewall.
      1. In the Azure portal, search for and select Virtual networks.
      2. Select the virtual network that contains your application subnet.
      3. In the virtual network menu bar, choose Subnets.
      4. On the Subnets page, select the subnet where your application resources are deployed.
      5. In the Route table, choose the route table created by the deployment Terraform. This route table is typically named with a prefix related to your Prisma AIRS AI Runtime: Network intercept deployment.
      6. Save.
      By associating this specific route table, you ensure that all outbound traffic from your application subnet is directed through the Prisma AIRS AI Runtime: Network intercept.
    19. Configure Strata Cloud Manager or Panorama to secure VM workloads and Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy, routers, and security policy rules.
    20. Navigate to Workflows→ NGFW Setup → Device Management. The Prisma AIRS AI Runtime: Network intercept appears under Cloud Managed Devices.
    21. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the deployed Prisma AIRS AI Runtime: Network intercept licenses.
      It takes a while before the Device Status shows as connected.
      Next, view the threat logs and AI security logs for traffic inspection details.

    © 2025 Palo Alto Networks, Inc. All rights reserved.