Deploy AI Runtime Security Instance in GCP

Where Can I Use This?	What Do I Need?
AI Runtime Security instance deployment in GCP	Onboard GCP Cloud Account in SCM

This page guides you through deploying a customizable Terraform to add

AI Runtime Security

instance protection for GCP cloud resources.

On this page, you'll configure an AI Runtime Security instance in SCM, download the corresponding Terraform configuration, and deploy it in your cloud environment. This setup will integrate the AI Runtime Security instance into your cloud network architecture, enabling comprehensive monitoring and protection of your assets.

After onboarding, the SCM Command Center dashboard will show asset discovery with no

AI Runtime Security

instance protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details see Discover Your Cloud Resources.

Log in to SCM.
Select
Insights
→ AI Runtime Security
.
Select
Add Protections
("+" icon).
Select Cloud Service Provider
as Google Cloud and select
Next
.
In
Firewall Placement
, select one or more traffic flows to inspect.
The following table shows the network traffic type the AI Runtime Security instance or the VM-Series firewall can support:
Traffic Type	AI Runtime Security instance	VM-Series
AI Traffic - Traffic between your applications and AI Models	✅
Non-AI Traffic and namespaces (example, kube-system)	✅
Cluster Traffic	✅
Non-AI and non-cluster traffic	✅	✅
If you select the `kube-system` namespace, the VM-Series firewall option will be grayed out, as only AI Runtime Security instance can protect these namespaces.
Select
Next
.
In
Region & Applications
:
Select your cloud account to secure
from the onboarded cloud accounts list.
Select a region
from the available options.
In
Selected applications
:
Select the applications to secure from the drop-down list. This list includes application workloads such as namespaces, or VPCs.

Set the

Public IP address

of each application by selecting

Auto generate

or

Input manually

.

Protect the

Undiscovered VPC(s)

or add a new VPC by selecting

Add VPC

and enter the

VPC Name

,

VPC CIDRs

IP address ranges,

K8s pod CIDRs

(Optional) IP address ranges, and

K8s service CIDRs

(Optional).

Select

Submit

.
Select
Next
.
In
Protection Settings
:
Select
AI Runtime Security
instance or
VM-Series
firewall type based on the type of traffic you decided to protect under
Firewall Placement
in step 5.
Enter the
Service account attached to security VM
.
Number of firewalls to deploy
.
Select zones to deploy firewalls
.
Choose the instance type for the security VM
. (see Machine families resource and comparison guide for details).
In
IP addressing scheme
, enter the following:
CIDR value for untrust VPC
.
CIDR value for trust VPC
.
CIDR value for management VPC
.
In
Licensing
, enter the following:
Software version
for your image.
Flex authentication code
Device Certificate PIN ID
Device Certificate PIN value
In
SCM management parameters
:
List CIDR ranges to be allowed access to the management interface
.
Select the
SCM folder
to group the AI Runtime Security instance. Refer to Workflows: Folders - Strata Cloud Manager.
Enter the
SSH key to be used for login
(see how to Create SSH keys).
Select
Next
.
In
Review Architecture
screen:
Enter the

Terraform template name

.

Create terraform template

.

Save and Download Terraform Template

.

Before you deploy the Terraform template, create a GCP service identity. Execute the following command in the gcloud CLI to create the necessary service identity for your project. This step is required to successfully launch the AI Runtime Security Terraform template.

gcloud beta services identity create --service=cloudasset.googleapis.com --project=<your_gcp_prj_id>

Unzip the downloaded file, navigate to

<unzipped-folder>

that has 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment:

cd architecture

cd security_project
terraform init
terraform plan
terraform apply

cd ../application_project
terraform init
terraform plan
terraform apply

For additional security measures to protect your Kubernetes clusters, follow the steps outlined in the Configure SCM to Protect VM Workloads and Kubernetes Clusters page.

Terraform version required: > 1.3 and < 2.
Provide the required IAM Permissions to the user executing the Terraform template.

After the Terraform is deployed, the SCM Command Center dashboard starts discovering the cloud assets and it takes some time to populate the asset data.
Refer to Network Traffic Risk Analysis.
Select
Workflows
→ NGFW Setup
→ Device Management
.
In

Available Devices

, select the AI Runtime Security instance and move it to

Cloud Managed Devices

to be managed by SCM.
Switch to the
Cloud Managed Devices
tab to view and manage the connected state, the configuration sync state, and licenses of the deployed
AI Runtime Security
instances.
It takes a while before the
Device Status
shows as connected.
Configure SCM to Protect VM Workloads and Kubernetes Clusters and deploy pods.