Deploy AI Runtime Security: Network Intercept in GCP
Focus
Focus
AI Runtime Security

Deploy AI Runtime Security: Network Intercept in GCP

Table of Contents

Deploy AI Runtime Security: Network Intercept in GCP

Add an AI Runtime Security: Network intercept in Strata Cloud Manager to generate the Terraform template.
Where Can I Use This?What Do I Need?
  • AI Runtime Security instance deployment in GCP
This page guides you through deploying a customizable Terraform to add AI Runtime Security: Network intercept protection for GCP cloud resources.
On this page, you will configure an AI Runtime Security: Network intercept in Strata Cloud Manager, download the corresponding Terraform configuration, and deploy it in your cloud environment. This setup will integrate the AI Runtime Security instance into your cloud network architecture, enabling comprehensive monitoring and protection of your assets.
After onboarding, the Strata Cloud Manager Command Center dashboard will show asset discovery with no AI Runtime Security protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.
  1. Select Insights → AI Runtime Security.
  2. Select Add Protections ("+" icon).
  3. Select Cloud Service Provider as Google Cloud and select Next.
  4. In Firewall Placement, select one or more traffic flows to inspect.
    The following table shows the network traffic type the AI Runtime Security instance or the VM-Series firewall can support:
    Traffic TypeAI Runtime Security instanceVM-Series
    AI Traffic - Traffic between your applications and AI Models
    Non-AI Traffic and namespaces (example, kube-system)
    Cluster Traffic
    Non-AI and non-cluster traffic
    If you select the `kube-system` namespace, the VM-Series firewall option will be grayed out, as only an AI Runtime Security instance can protect these namespaces.
  5. Select Next.
  6. In Region & Applications:
    • Select your cloud account to secure from the onboarded cloud accounts list.
    • Select a region from the available options.
    • In Selected applications:
      • Select the applications to secure from the drop-down list. This list includes application workloads such as namespaces, or VPCs.
      • Set the Public IP address of each application by selecting Auto generate or Input manually.
      • Protect the Undiscovered VPC(s) or add a new VPC by selecting Add VPC and enter the VPC Name, VPC CIDRs IP address ranges, K8s pod CIDRs (Optional) IP address ranges, and K8s service CIDRs (Optional).
      • Select Submit.
    • Select Next.
  7. In Protection Settings:
    1. Select an AI Runtime Security instance or VM-Series firewall type based on the type of traffic you decided to protect under Firewall Placement in step 5.
    2. Enter the Service account attached to security VM.
    3. Number of firewalls to deploy.
    4. Select zones to deploy firewalls.
    5. Choose the instance type for the security VM. (See Machine families resource and comparison guide for details).
    6. In the IP addressing scheme, enter the following:
      • CIDR value for untrust VPC.
      • CIDR value for trust VPC.
      • CIDR value for management VPC.
    7. In Licensing, enter the following:
    8. In SCM management parameters:
    9. Select Next.
  8. In Review Architecture screen:
    • Enter a unique Terraform template name (use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name under 19 characters).
    • Create terraform template.
    • Save and Download Terraform Template.
    • Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment:
      cd architecture cd security_project terraform init terraform plan terraform apply cd ../application_project terraform init terraform plan terraform apply
      For additional security measures to protect your Kubernetes clusters, follow the steps outlined in the Configure Strata Cloud Manager to Secure VM Workloads and Kubernetes Clusters page.
  9. Select Workflows → NGFW Setup → Device Management. The AI Runtime Security: Network intercept appears under Cloud Managed Devices.
  10. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the licenses of the deployed AI Runtime Security: Network intercept (instances).
    It takes a while before the Device Status shows as connected.