This page guides you through deploying a Terraform to add AI Runtime Security: Network intercept protection for AWS cloud
resources.
On this page, you will configure an AI Runtime Security: Network intercept in Strata Cloud Manager,
download the corresponding Terraform template, and deploy it in your cloud
environment. This setup will integrate the AI Runtime Security: Network intercept in your cloud
network architecture, enabling comprehensive monitoring and protection of your
assets.
After onboarding the cloud account, the Strata Cloud Manager command
center dashboard will show asset discovery with no AI Runtime Security: Network intercept protection
deployed. Unprotected traffic paths to and from apps, models, and the internet are
marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.
Select Network from the AI Runtime Security drop-down
list at the top.
Select Add Protections ("+" icon).
Select Cloud Service Provider as AWS and choose Next.
In Firewall Placement, select:
All traffic to protect AI and non-AI applications.
Non AI traffic only to protect all traffic except the traffic
between your applications and the AI models.
Select Next.
In Regions & Application(s):
Select your cloud account to secure.
Select a region in which you want to protect the
applications.
In Selected applications,
Select the applications to secure from the drop-down list.
Select all applicable zones from the dropdown menu to
secure traffic for each application. (This should be the zone in
which you want to create the GWLB endpoint).
For each cluster, enter the CIDR IP address of the
available (unused) subnet within your application VPC.
The
GWLB endpoints will be created in this CIDR IP address. (Go
to AWS management console, select your application VPC name,
and record the IPV4 CIDR address range. Ensure to include
the CIDR for the GWLB endpoint to be created only within
this IPV4 CIDR range within your subnet
Enable protection for Undiscovered VPC(s).
Click Add VPC.
Enter the VPC ID.
Select a zone:
Enter the GWLB endpoint CIDR (In the AWS console, go to
VPC > Endpoints. Select your GWLB endpoint >
Details tab > Subnet field and copy the CIDR).
Enter VPC VM subnet IDs (Navigate to VPC >
Subnets in the AWS console. Select your subnet and
copy the subnet ID from the details panel).
Submit.
Select Next.
In Protection Settings:
Select AI Runtime Security based on the type of traffic you
decided to protect under Firewall Placement in step 5.
Enter the number of firewalls to deploy.
Select zones to deploy firewalls.
Ensure the firewall zones cover all selected application zones you
selected for each application under Selected applications.
For example, in AWS region us-west-1, if App1 uses ZoneA and ZoneE,
and App2 uses ZoneB and ZoneD, the firewall must include ZoneA,
ZoneB, ZoneD, and ZoneE. This ensures that when Terraform creates
the GWLB service, all corresponding zones are covered.
Choose the instance type for the security VM (See Amazon EC2 instance types for
details). Following are the supported instance types:
c6in.xlarge,
c6in.8xlarge, and c6in.16xlarge.
The minimum vCPUs required is 4.
Configure the following:
IP addressing scheme
Licensing
SCM management parameters
Enter the unused CIDR for security VPC.
(Go to AWS Management
Console > VPC, select your VPC, and get
the CIDR for your VPC).
Choose Yes or No to Create
transit gateway or not:
If you choose No, select the existing
TGW ID from the drop-down list under
Select transit gateway (Go to AWS Management
Console > VPC dashboard > Transit Gateways
to get the TGW ID).
If you choose Yes, you can optionally
enter the Autonomous system number (ASN) for the
new Transit Gateway. (Refer to create a transit
gateway for more information).
Update the VPC route table by mapping the TGW
attachment. This directs network traffic through
the Transit Gateway, facilitating connectivity
between the AI Runtime Security: Network intercept
and other VPCs.
Enable Cross-Zone load balancing to
distribute incoming traffic evenly across targets
in multiple availability zones.
Select the PAN OS version for your
image.
Enter the Flex authentication code (Copy
AUTH CODE for the deployment
profile you created for AI Runtime
Security: Network intercept in Customer Support
Portal).
Enable Centralize egress to configure
egress traffic to exit from the security VPC
through security VPC IGW through a NAT gateway
(Enable this option to create a NAT gateway).
List CIDR ranges to be allowed access to the
management interface.
Enter the SSH key to be used for login
(see how to Create SSH
keys).
Select Manage by SCM and select the
SCM folder to group the AI Runtime Security: Network intercept.
Enter a unique Terraform template name. (Use
only lowercase letters, numbers, and hyphens. Don't use a hyphen
at the beginning or end, and limit the name under 19
characters).
Review the topology for your AI network architecture.
Click Create terraform template.
Click Download terraform template.
Close the deployment workflow to exit.
Before you deploy the Terraform template,
authenticate with the AWS Console. Go to the AWS Marketplace and
subscribe. Subscribe for the same image that you will use for the AI network
intercept and the tag collector.
Unzip the downloaded file. Navigate to <unzipped-folder>
with 2 directories: `architecture` and `modules`. Deploy the Terraform templates
in your cloud environment following the `README.md` file in the `architecture`
folder.
Initialize and apply the Terraform for the security_project.
Deploying the Terraform for the security project
creates the GWLB endpoints in your AWS account.
The security_project
contains the Terraform plan to create the AI Runtime Security: Network intercept
architecture.
cd architecture
cd security_project
terraform init
terraform plan
terraform apply
Run the application Terraform to peer the application VPCs.
cd ../application_project
terraform init
terraform plan
terraform apply
Configure Strata Cloud Manager or Panorama to secure VM workloads and
Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy,
routers, and security policy rules.
Select Workflows → NGFW Setup → Device Management. The AI Runtime Security: Network intercept appears under Cloud
Managed Devices.
Switch to the Cloud Managed Devices tab to view and
manage the connected state, the configuration sync state, and the licenses of
the deployed AI Runtime Security: Network intercept.
It takes a while before the Device Status shows as
connected.
The AI Runtime Security: Network intercept deployment Terraform also creates an IP-tag collector
service, enabling you to retrieve IP-tag information from clusters. These tags
are used to populate dynamic address groups (DAGs) for automated security
enforcement. Refer harvesting IP-tags for
details.
