AI Runtime Security
Azure Cloud Account Onboarding Prerequisites
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
Azure Cloud Account Onboarding Prerequisites
Prerequisites to complete before you onboard your Azure cloud account in Strata Cloud
Manager.
On this page, you will:
- Create Azure Storage Account
- Enable Virtual Network Flow Logs for vNet
- Enable Audit Logs for Azure OpenAI Traffic
- Grant Access to Storage Account from IP Addresses
- Assign Azure Roles if you want to onboard more than one Azure subscription on the same tenant.
Where Can I Use This? | What Do I Need? |
---|---|
|
Create Azure Storage Account
- Sign in to your Azure portal.In the left panel, click on Create a resource.Search for the Storage account and select it.Click Create.Select your Subscription and Resource Group (or create a new one).Enter a unique Storage account name.Choose the Region for your storage account.Select the Performance (Standard or Premium) and Replication options.Under Networking tab:
- Under Network access, select Enable public access from selected virtual networks and IP addresses.
- Add the following IP addresses:
Refer to Create an Azure storage account for more configurations.34.71.64.3 34.28.60.186 - Click Review + create.Click Create to deploy a Storage account.
Enable Virtual Network Flow Logs for vNet
- Sign in to the Azure portal.To enable Network Watcher, go to the Azure Portal, search for Network Watcher, select your region, and click Enable.In the Network Watcher pane, select Flow Logs from the left panel.Click on + Add flow log.Select your Subscription from the dropdown menu.Under Flow log type, choose Virtual network.Select or create a Storage Account where you want to store the logs.Enter 30 in the Retention (days) field. (This is the maximum number of days that we display the logs in the Strata Cloud Manager discovery dashboard).Click Review + Create to review your settings, then click Create to apply the configuration.
Enable Audit Logs for Azure OpenAI Traffic
- Go to the Azure portal and open your OpenAI resource.In the navigation pane, select Diagnostic settings → Add diagnostic setting.Enter Diagnostic setting name.In the list of log categories, select Request and Response Logs.Select to enable Archive to a storage account.Select the applicable Subscription for the Azure Event Hub.Select the Storage account to store the logs.Save your settings.Flow logs and audit logs must be older than 3 hours to be scanned, as Azure continuously overwrites the log file in the storage account. To prevent loss of logs, we only scan files three hours after their creation time, since discovery won't rescan files that have already been processed.
Grant Access to Storage Account from IP Addresses
- Go to Storage Accounts in the Azure portal.Select your Storage Account.Under Security + networking, click on Networking in the left panel.Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.Under Firewall, add the following IP addresses in the storage account:34.71.64.3 34.28.60.186Click Save to apply the changes.
Assign Azure Roles
To onboard more than one Azure subscription on the same tenant, assign the following roles on the application that your onboarding Terraform has installed in your Azure tenant. - Go to the Azure Portal and select your subscriptions.In the left panel, navigate to Access Control (IAM).Click on the Role assignments tab.Click + Add -> Add role assignment.Select the roles for each of the required roles:
- Azure Kubernetes Service Cluster User Role
- Storage Blob Data Reader
- Reader
Click Next.Click Select members, search for the app using the app object ID or the app name.The application name is suffixed by "panw".Select the application, and then click Select.Click Next.Click Review + assign to complete the process.