AI Runtime Security
Azure
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
Azure
AI Runtime Security post deployment configurations in Strata Cloud Manager (SCM) to
protect VM workloads and K8s clusters.
Where Can I Use This? | What Do I Need? |
---|---|
|
- Log in to SCM.
- Configure AI Runtime Security instance (firewall) Interfaces:
- SelectManage→ Configuration→ NGFW and Prisma Access.
- SelectDevice Settings→ Interfaces.
- Set theConfiguration Scopeto your AI Runtime Security folder.
- InEthernettab:Configure a Layer 3 Interfacefor eth1/1 and eth1/2:
- Interfaces: eth1/1 and eth1/2
- Location: Specify location if applicable
- Interface Type: Layer3
- IP Address: Dynamic (DHCP Client)
- Select theLoopback tab, to configure the Loopback interface:
- InIPv4s,enter the ILB (Internal Load Balancer) private IP address
- Set Security Zone to trust for eth1/1 and untrust for eth1/2
- Ensure VR (Virtual Router) is set to default or the same as eth1/1
- Create Zones. SelectManage→ Configuration→ NGFW and Prisma Access→ Device Settings→ Zones.
- Create a Logical Router and add the Layer 3 interfaces (eth1/1 and eth1/2).
- Configure a Static Route with the ILB static IP addresses for routing. Use the trust interface gateway IP address.
- Add a security policy (Manage→ Configuration→ NGFW and Prisma Access→ Security Services→ Security Policy→ Add Rule).Ensure the policy allows health checks from the GCP Load Balancer (LB) pool to the internal LB IP from SCM. Check session IDs to ensure the firewall responds correctly on the designated interfaces.
Configurations to Secure VM Workloads
- Configure Static Routes for vNet Endpoints.
- SelectManage→ Configuration→ NGFW and Prisma Access→ Device Settings→ Routing→ Logical Routers.
- For vNet Subnet:
- EdittheIPv4 Static Routesand add the route for the vNet IPv4 range CIDR subnets.
- Set theNext Hopas eth1/1.
- Set theDestinationas the trust subnet gateway IP from SCM.
- Updatethe static route.
Savethe logical router.
- SelectManage→ Operations→ Push Configand push the policy configurations to the AI Runtime Security instance.
Configurations to Secure the Kubernetes Clusters
- Add static routes on the Logical Router for Kubernetes workloads:
- SelectManage→ Configuration→ NGFW and Prisma Access→ Device Settings→ Routing→ Logical Routers.
- Configure Static Routes for the pod and service subnets for the Kubernetes workloads:Pod Subnet:
- EdittheIPv4 Static Routesand add a route with the Pod IPv4 range CIDR.
- Set theNext Hopas eth1/1 (trust interface).
- Set theDestinationas the trust subnet gateway IP from SCM.
Service Subnet:- EdittheIPv4 Static Routesadd a route with the IPv4 Service range CIDR.
- Set theNext Hopas eth1/1 (trust interface).
- Set theDestinationas the trust subnet gateway IP from SCM.
- Add Source NAT Policy for Outbound Traffic:
- SelectManage→ Configuration→ NGFW and Prisma Access→ Network Policies→ NAT.
- Create or modify a Source NAT Policy:
- Source Zone: Trust
- Destination Zone: Untrust (eth1/2)
- Policy Name: trust2untrust or similar.
- Configure NAT settings:Interface Address Section:
- Set the Interface to eth1/2. (The translation happens at eth1/2).If needed, create a complementary rule for the reverse direction (for example, untrust2trust).
- SelectManage→ Operations→ Push Configand push the policy configurations to the AI Runtime Security instance.Note: If you have a Kubernetes cluster running, follow the section to install a kubernetes application with Helm.
Install a Kubernetes Application with Helm
Follow the below steps to install a Kubernetes
application on a K8s cluster.
- Change the directory to the Helm folder:cd <unzipped-folder>/architecture/helmCreate the `ai-runtime-security` directory and move the below files to this directory:mkdir ai-runtime-security mv Chart.yaml ai-runtime-security mv values.yaml ai-runtime-security mv templates ai-runtime-securityInstall the Helm chart:helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yamlVerify the Helm installation:#List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2Check the pod status:kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.Check the endpoint slices:kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12hCheck the services running in the `kube-system` namespace:kubectl get svc -n kube-system #Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pan-cni-sa ClusterIP 10.xx.0.1 <none> 443/TCP 24h pan-plugin-user-secret ClusterIP 10.xx.0.2 <none> 443/TCP 24hAnnotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.
For example, for all new pods in the "default" namespace:annotations: paloaltonetworks.com/firewall: pan-fwkubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw
Recommended For You