>
    Strata Copilot
    View You VPCs, VNets, and Applications with the Cloud Asset Map
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Discover Your Cloud Resources
    5. View You VPCs, VNets, and Applications with the Cloud Asset Map
    Download PDF
    Prisma AIRS

    View You VPCs, VNets, and Applications with the Cloud Asset Map

    Table of Contents

    View You VPCs, VNets, and Applications with the Cloud Asset Map

    Learn how to use the Cloud Asset Map.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Firewall
    The Prisma AIRS Cloud Asset Map is a powerful tool that provides a unified view of your cloud infrastructure and protection status across multiple cloud providers. It enables you to visualize your cloud network topology, understand the protection status of your resources, and implement automated firewall deployment to secure your applications.
    At its core, Multi-Cloud Security Fabric Discovery scans your cloud environments to identify regions, VPCs, subnets, and applications. It then analyzes traffic patterns and security configurations to determine whether your resources are protected, partially protected, or unprotected. This assessment is based on evaluation of the following traffic types: App-to-App, App-to-Model, App-to-Internet, and User-to-App traffic flows.
    The infrastructure view provides a geographical representation of your cloud regions, showing resource distribution and protection status. You can drill down into specific regions to view detailed information about VPCs, applications, firewalls, and tunnels deployed in that region. The topology view offers a more detailed perspective, allowing you to explore the relationships between different components within your cloud infrastructure.
    For each VPC, Multi-Cloud Security Fabric Discovery determines protection status by evaluating whether traffic is being inspected by AI Runtime Security firewalls. A VPC is considered protected when all of its subnets are fully protected for all defined use cases. When some subnets lack complete protection, the VPC is marked as partially protected. If no subnets have any protection enabled, the VPC is classified as unprotected.
    Once you've identified unprotected or partially protected resources, you can use the automated deployment feature to secure your infrastructure. This process includes creating security VPCs, deploying firewall instances, setting up load balancers, and configuring the necessary routing to redirect traffic through the security infrastructure. The system supports various traffic patterns including east-west traffic within a VPC, between VPCs in the same region, across different regions, and north-south traffic to internet destinations.
    To enable these capabilities, you'll need to onboard your cloud accounts to Strata Cloud Manager with appropriate permissions. The system requires read permissions to discover your infrastructure. The implementation follows best practices to minimize traffic disruption, making it suitable for production environments.

    Cloud Asset Map

    Before you can see your cloud assets on the Cloud Asset map, you must have the following:
    AWS:
    • Onboard your AWS account to Prisma AIRS.
    • Application VPCs that are connected to a transit gateway (TGW).
    Azure:
    • Onboard your Azure account to Prisma AIRS.
    Prisma AIRS supports VNet peering on Azure and TGW peering on AWS. Azure VWan-based deployments are not supported.
    The Prisma AIRS Cloud Asset Map provides a detailed view of your discovered VPCs or VNets and across multiple cloud service providers.The Cloud Asset Map aggregates data about your AWS and Azure deployments into a view that highlights the protection status of the applications and VPCs or VNets in your cloud environment. Cloud asset map provides a birds eye view of the various regions you have resources running in, based on the onboarded cloud accounts.
    The map is separated by geographic location, which you can click on to drill down. The number represents the number of cloud service provider regions within the selected geographic region. Each region (geographic or cloud) is assigned a color based on the level protection in that region. The status of each region is determined at the VPC level.
    • Red regions are unprotected and traffic in that region doesn’t move through an AIRS or VM-Series firewall.
    • Orange regions are partially protected. Some traffic types in this region move through an AIRS or VM-Series firewall, while others do not.
    • Green regions are protected. All four traffic types in this region pass through the firewall.
    Throughout the Cloud Asset Map and its accompanying detailed views, in places where partially protected or unprotected traffic is indicated, you will find an Add Protection button. Clicking Add Protection redirects you to the Firewall Deployment wizard. When you move to the Firewall Deployment wizard from an Add Protection button in the Cloud Asset map, the wizard retains and prepopulates the details and context of the region, subnet, and VPCs or VNets for easier configuration. For example, if you Add Protection to AWS or Azure from the tile shown below, the wizard already knows that the firewall should be deployed in the AWS eu-west-1 region. The progress tracker on the right side of the wizard is prepopulated with the information carried over from the Cloud Asset Map.

    Topology View

    When you double click on a region in the Cloud Asset Map, Prisma AIRS takes you to the topology view of that region. The topology view contains two parts: the connectivity view and a metadata view.
    • In AWS, the connectivity view displays each VPC in the region, which TGW each VPC connects to, and which firewall cluster that TGW connects to. Additionally, each VPC includes the protection status. In Azure, the connectivity view lists VNet peering instead of TGWs.
      In the following example, the eu-north-1 region contains 12 VPCs in the unprotected and partially protected states. All VPCs are connected to a TGW but not all TGWs are connected to a firewall cluster.
    • The metadata view provides additional details about the region. The details are divided between three tabs: Infrastructure Assets, Traffic & Threats, and Route Table.
      • The infrastructure assets tab displays details about discovered firewall clusters, VPCs or VNets, and applications.
      • Traffic & threats displays data about what traffic was sent and what threats Prisma AIRS detected.
      • You access the route table tab by clicking and navigating to Show Details.
    You can drill further down into the VPC blocks for a more detailed view of the VPC. Clicking on the VPC block provides a list of all VPCs, selecting any VPC lists the subnets within that VPC. Hovering over a subnet provides the protection status for different traffic flows. Further, clicking on “View Details” provides a detailed view of the subnets, availability zones, network interfaces, gateways such as IGW, NAT gateway and transit gateway attachments. You can further look into the route table for a subnet by clicking on the subnet. From the VPC view, you can also access the route table tab which displays the route tables present in the selected VPC.
    Clicking on a firewall cluster in the topology view displays the same information as the application VPC view, except the information is for the security VPC where the firewall cluster has been deployed. Additionally, the security VPC view lists the number of firewalls in the cluster and the status of each.

    © 2025 Palo Alto Networks, Inc. All rights reserved.