Azure Cloud Account Onboarding Prerequisites
Focus
Focus
AI Runtime Security

Azure Cloud Account Onboarding Prerequisites

Table of Contents

Azure Cloud Account Onboarding Prerequisites

Prerequisites to complete before you onboard your Azure cloud account in Strata Cloud Manager.
This section outlines the prerequisites for onboarding an Azure cloud account in Strata Cloud Manager.
Where Can I Use This?What Do I Need?
  • AI Runtime Security in Azure

Create Azure Storage Account

  1. Sign in to your Azure portal.
  2. In the left panel, click on Create a resource.
  3. Search for the Storage account and select it.
  4. Click Create.
  5. Select your Subscription and Resource Group (or create a new one).
  6. Enter a unique Storage account name.
  7. Choose the Region for your storage account.
  8. Select the Performance (Standard or Premium) and Replication options.
  9. Under Networking tab:
    • Under Network access, select Enable public access from selected virtual networks and IP addresses.
    • Add the following IP addresses:
      34.71.64.3 34.28.60.186
    Refer to Create an Azure storage account for more configurations.
  10. Click Review + create.
  11. Click Create to deploy a Storage account.

Enable Virtual Network Flow Logs for vNet

  1. Sign in to the Azure portal.
  2. To enable Network Watcher, go to the Azure Portal, search for Network Watcher, select your region, and click Enable.
  3. In the Network Watcher pane, select Flow Logs from the left panel.
  4. Click on + Add flow log.
  5. Select your Subscription from the dropdown menu.
  6. Under Flow log type, choose Virtual network.
  7. Select or create a Storage Account where you want to store the logs.
  8. Enter 30 in the Retention (days) field. (This is the maximum number of days that we display the logs in the Strata Cloud Manager discovery dashboard).
  9. Click Review + Create to review your settings, then click Create to apply the configuration.

Enable Audit Logs for Azure OpenAI Traffic

  1. Go to the Azure portal and open your OpenAI resource.
  2. In the navigation pane, select Diagnostic settings → Add diagnostic setting.
  3. Enter Diagnostic setting name.
  4. In the list of log categories, select Request and Response Logs.
  5. Select to enable Archive to a storage account.
  6. Select the applicable Subscription for the Azure Event Hub.
  7. Select the Storage account to store the logs.
  8. Save your settings.
    Flow logs and audit logs must be older than 3 hours to be scanned, as Azure continuously overwrites the log file in the storage account. To prevent loss of logs, we only scan files three hours after their creation time, since discovery won't rescan files that have already been processed.

Grant Access to Storage Account from IP Addresses

  1. Go to Storage Accounts in the Azure portal.
  2. Select your Storage Account.
  3. Under Security + networking, click on Networking in the left panel.
  4. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
  5. Under Firewall, add the following IP addresses in the storage account:
    34.71.64.3 34.28.60.186
  6. Click Save to apply the changes.

Assign Azure Roles

To onboard more than one Azure subscription on the same tenant, assign the following roles on the application that your onboarding Terraform has installed in your Azure tenant.
  1. Go to the Azure Portal and select your subscriptions.
  2. In the left panel, navigate to Access Control (IAM).
  3. Click on the Role assignments tab.
  4. Click + Add -> Add role assignment.
  5. Select the roles for each of the required roles:
    • Azure Kubernetes Service Cluster User Role
    • Storage Blob Data Reader
    • Reader
  6. Click Next.
  7. Click Select members, search for the app using the app object ID or the app name.
    The application name is suffixed by "panw".
  8. Select the application, and then click Select.
  9. Click Next.
  10. Click Review + assign to complete the process.