>
    Strata Copilot
    Deploy a Tag Collector Agent on AWS to Secure Private Clusters
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy a Tag Collector Agent on AWS to Secure Private Clusters
    Download PDF
    Prisma AIRS

    Deploy a Tag Collector Agent on AWS to Secure Private Clusters

    Table of Contents

    Deploy a Tag Collector Agent on AWS to Secure Private Clusters

    Learn to deploy a tag collector agent to secure provate clusters with the Prisma AIRS AI Runtime Firewall.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Firewall
    • AWS
    To secure your private Kubernetes clusters in your AWS environment, you must deploy a Tag Collector Agent to collect IP-tag information. Complete the following procedure to deploy a Tag Collector Agent on AWS.
    Verify that you've completed the following prerequisites before deploying a tag collector.
    • An onboarded AWS account with the field Are the cluster workloads private? set to Yes. If you have already onboarded the AWS account, you must complete the onboarding workflow again with the above field set to Yes and execute the terraform again.
    • Administrative access to all cloud accounts involved in the deployment
    • Appropriate IAM roles and permissions for cross-account resource sharing
    • The tag collector requires network access to private cluster endpoints
    1. Log in to Strata Cloud Manager.
    2. Select AI SecurityAI Runtime Firewall.
    3. Click the plus icon in the upper right corner and select Add Agent Deployment.
    4. Select AWS as your cloud service provider and click Next.
    5. Enter a descriptive Name of the Agent Deployment.
    6. Select the Cloud Account and Cloud Region.
    7. Click Next.
    8. Enter the CIDR of the VPC where the Prisma AIRS will deploy the tag collector agent.
    9. If you need to access the tag collector VM, enter the CIDR range(s) from which the VM will be accessed.
    10. Enter one or more CIDR ranges to be Allowed Management Access.
    11. Select the Zone.
    12. Configure the transit gateway (TGW) settings. You can attach the tag collector to an existing TGW or deploy a new TGW. Prisma AIRS deploys the new TGW in the account you selected above.
      New TGW
      1. Enter the Autonomous System Number from your AWS account.
      2. Select an AWS account with which to associate the new TGW.
      3. Select one or more cloud accounts that have private workloads from the Accounts to pull IP/Tags from drop-down.
      Existing TGW
      1. Select the TGW Cloud Account.
      2. Select the TGW ID.
      3. Select one or more cloud accounts that have private workloads from the Accounts to pull IP/Tags from drop-down.
    13. Enable or disable the Management IP Address.
    14. Select a new or existing Resource Access Manager (RAM). If you select Existing, select an existing RAM from the drop-down.
    15. Enter your SSH Key.
    16. Enter the Device ID and Device PIN Value.
    17. Select an SCM folder with which to associate the tag collector.
    18. Select the PAN-OS Software Version for the tag collector.
    19. Select an EC2 instance to house the tag collector agent from the VM Size drop-down.
    20. Enter your Authcode and click Next.
    21. Enter a descriptive Terraform Template Name and download the terraform template .zip file.

    Execute the Tag Collecter Agent Terraform

    After downloading and extracting the tag collector agent terraform template, you must deploy it in your AWS environment. The tag collector architecture folder has three subdirectories—tc_iam_project, tc_project, and tgw_project.
    The terraform templates must be deployed in the order shown below.
    cd architecture
tgw_project
tc_project
tc_iam_project
    If you selected New when setting your tag collector Deployment Parameters, Prisma AIRS deploys a new TGW. After you've deployed the tgw_project Terraform template, you must add the TGW ID in the tc_projects.
    tc_project
    tgw = {
  asn = "64512"
  attachments = {
    tc_attachment = {
      name        = "tc_vpc_tgw_attachment"
      route_table = "from_tc_vpc"
      vpc_subnet  = "tc_vpc-tc_vpc_tgw_attach_"
    }
  }
  create                    = false
  create_ram_resource_share = false
  id                        = "<new-tgw-unique-identifier>"
  name                      = "test-template-tgw"
  owner                     = true
  ram_resource_share_name   = null
  route_tables = {
    from_tc_vpc = {
      create = true
      name   = "airs_tc_vpc_tgw_attachment"
    }
  }
  shared_principals = {}
}
    For new and existing TGW deployments, after deploying all three Terraform templates, you need to set up TGW attachments and route tables allowing the tag collector to communicate the your private cluster.
    1. Create a TGW attachment and route table your private cluster. Add routes to the route table for the tag collector CIDR.
    2. Create a TGW route table for the tag collector TGW attachment. Add routes to the route table for the private cluster CIDR.
    3. Configure the tag collector security group and subnets to allow traffic from the private cluster management CIDR.
    4. Configure the private cluster security group and subnets to allow traffic from the tag collector management CIDR.

    © 2026 Palo Alto Networks, Inc. All rights reserved.