Deploy Prisma AIRS AI Runtime Security in AWS with Terraform

Where Can I Use This?	What Do I Need?
Prisma AIRS AI Runtime Firewall deployment in AWS	Onboard Cloud Account in AWS

Learn how to deploy the Terraform template to enable Prisma AIRS Firewall protection on AWS cloud resources.

In this page, you will configure Prisma AIRS AI Runtime Firewall in Strata Cloud Manager, download the corresponding Terraform template, and deploy it in your cloud environment. This setup will integrate the network intercept in your cloud network architecture, enabling comprehensive monitoring and protection of your assets.

After onboarding the cloud account, the Strata Cloud Manager command center dashboard will show asset discovery with no firewall protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.

1. Log in to Strata Cloud Manager.
2. Navigate to AI Security AI Runtime Firewall.
3. Select Add Protections ("+" icon).
4. Select Cloud Service Provider as AWS and choose Next.
5. In Firewall Placement, select:

   1. Select the Traffic Streams to Inspect:

      • AI queries and responses: application to application traffic
      • Inbound traffic to cloud applications: user to application traffic
      • Outbound traffic from cloud applications: application to the internet traffic
      • Inter VPC/VNet communication: application to application traffic
      • Select All Traffic: select this option to inspect all traffic streams.
   2. Select your AWS Account and the Region.
   3. Choose your deployment method.

      • Download Terraform templates and execute on my own:
      • Auto-Execute: this option removes the need to manually deploy your firewalls and configure traffic redirection. Utilizing the multicloud security fabric, Prisma AIRS inserts new software firewall instances
6. In Regions & Application(s):

   • Select your cloud account to secure.
   • Select a region in which you want to protect the applications.
   • In Selected applications, select the applications to secure from the available list.
     The available applications are determined by the application definition criteria you configured during cloud account onboarding in the “Application Definition” step.
   • In GWLB Endpoint CIDR & Zone Pair, enter the zone and CIDR IP range.
   • Select all applicable zones from the available list to secure traffic for each application. (This should be the zone in which you want to create the GWLB endpoint).
   • For each cluster, enter the CIDR IP address of the available (unused) subnet within your application VPC.
     The GWLB endpoints will be created in this CIDR IP address. (Go to the AWS management console, select your application VPC name, and record the IPV4 CIDR address range. Ensure to include the CIDR for the GWLB endpoint to be created only within this IPV4 CIDR range within your subnet
7. Configure Traffic Inspection (to protect your clusters at namespace-level only):

   Traffic steering inspection is available only when you select namespaces from the applications list. Select the namespace and configure how to handle traffic from specific network segments (Limit to 10 CIDRs per cluster that can be inspected or bypassed at any time):

   • Inspect certain CIDRs: Only inspect traffic from specified subnet ranges.
   • Bypass certain CIDRs: Exclude traffic from specified subnet ranges from inspection.
     For container applications, all traffic to and from the applications is protected by default. Use traffic inspection options only when you need granular control over which network segments are inspected or bypassed.

     When protecting traffic from namespaces using traffic inspection, select only the namespace and not its parent VPC to avoid deployment failures. The same GWLB endpoint cannot be used for both VPC and namespace-level protection in the same zone.

   To configure Traffic Steering with Panorama, you need to:

   • Modify the Container Network Interface (CNI) to read a Palo Alto Networks customer resource. After reading the annotation, the CNI programs the routing on the app pods based on the option of FIREWALL INSPECT/BYPASS.
   • Update the custom resource file (Helm folder > Templates > Create CustomerResource.YAML). In the custom resource file, you can use FIREWALL to inspect limited CIDRs and BYPASS to avoid certain CIDRs. The appname/bypassfirewall keyword is used for both inspect and bypass traffic operations.
8. Select the Undiscovered VPC(s) tab and click Add VPC.

   Specify the following options:

   • VPC ID.
   • Cluster ID.
   • CIDR ranges to be inspected in the Inspect certain CIDRs field.
   • CIDR ranges to be bypassed in the Bypass certain CIDRs field.
   • In Zone and other info:
     • Select a zone from the available list.
     • GWLB endpoint CIDR. (In the AWS console, go to VPC > Endpoints. Select your GWLB endpoint > Details tab > Subnet field and copy the CIDR).
     • VPC VM subnet IDs. (Navigate to VPC > Subnets in the AWS console. Select your subnet and copy the subnet ID from the details panel).
     • Click Setup for a new zone to configure these values for another zone.
   • Select Submit.

   The minimum number of vCPUs required is 4.
9. Select Next.
10. In Parameters:

    1. In the Deployment type, select AI Runtime Security or VM-Series firewall type based on the type of traffic you decided to protect in the Firewall Placement step.
    2. Enable Auto-Deploy Security; by default, this option is disabled.
    3. Enter the number of firewalls to deploy.
    4. Select zones to deploy firewalls from the available zones.

       Ensure the firewall zones cover all selected application zones you selected for each application under Selected applications. For example, in the AWS region us-west-1, if App1 uses ZoneA and ZoneE, and App2 uses ZoneB and ZoneD, the firewall must include ZoneA, ZoneB, ZoneD, and ZoneE. This ensures that when Terraform creates the GWLB service, all corresponding zones are covered.
    5. Choose the instance type for the security VM (See Amazon EC2 instance types for the supported instance types).
    6. In the Firewall Scaling, select Static or Dynamic to configure autoscaling.

       With autoscaling, you can choose between static or dynamic scaling models during deployment. Dynamic scaling allows you to select from several metrics to base your autoscaling decisions on, giving you fine-grained control over how your security infrastructure adapts to changing conditions. This approach ensures that your security posture remains robust during traffic surges while optimizing license consumption during periods of lower demand. After traffic decreases and firewalls are deactivated, the system automatically removes the firewalls from inventory and returns licenses to your pool for future scaling events.

       Selecting Dynamic firewall scaling allows you to configure additional metrics:

       • Specify the Number of Firewalls to Deploy by entering a range (minimum to maximum).
       • Enter the Cloudwatch Namespace.
       • Set the Update Interval; 1-60 minutes.
       • Use the drop-down menu to configure Autoscaling Metrics:
         The firewall publishes autoscaling metrics to the respective cloud. Within SCM, this implementation allows you to choose one or more autoscaling metric and the corresponding threshold to trigger scale-in, scale-out actions.

       The table below describes autoscaling metrics:

       Metric	Description
       Dataplane CPU Utilization (%)	Monitors dataplane CPU usage and measures the traffic load on the firewall.
       Dataplane Packet Buffer Utilization (%)	Monitors dataplane buffer usage and measures buffer utilization. If you have a sudden burst in traffic, monitoring your buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer, which results in dropped packets.
       GlobalProtect™ Gateway Active Tunnels	Monitors the number of active GlobalProtect sessions on a firewall deployed as a GlobalProtect gateway. Use this metric if you use this VM-Series firewall as a VPN gateway to secure remote users. Check the datasheet for the maximum number of active tunnels supported for your firewall model.
       GlobalProtect Gateway Tunnel Utilization (%)	Monitors the active GlobalProtect tunnels on a gateway and measures tunnel utilization. Use this metric if you use this VM-Series firewall as a VPN gateway to secure remote users.
       panSessionConnectionsPerSecond	Monitors the new connection establish rate per second.
       panSessionThroughputKbps	Monitors the throughput in Kbps.
       panSessionThroughputPps	Monitors the number of packets per second.
       Sessions Active	Monitors the total number of sessions that are active on the firewall. An active session is a session that is in the flow lookup table for which packets will be inspected and forwarded, as required by policy.
       Session Utilization (%)	Monitors the TCP, UDP, ICMP and SSL sessions that are currently active and the packet rate, new connection establish rate, and firewall throughput to determine session utilization.
       SSLProxyUtilization (%)	Monitors the percentage of SSL forward proxy sessions with clients for SSL/TLS decryption.

       • Click Apply.

       After completing the Firewall Information section you can configure IP Addressing, Licensing and Management Parameters.
11. Configure the following:

    IP addressing scheme	Licensing	Management parameters
    Configure the following fields: CIDR for security VPC: Enter the CIDR IP address of an unused VPC. (Go to AWS Management Console > VPC, select your VPC, and get the CIDR for your VPC). In Create transit gateway, select: No: If you choose No, then in the Select transit gateway field, select the existing TGW ID from the available list. (Go to AWS Management Console > VPC dashboard > Transit Gateways to get the TGW ID). Yes: If you choose Yes, you can optionally enter the Autonomous system number (ASN) for the new Transit Gateway. (Refer to create a transit gateway for more information). Create the TGW attachment and map the reference route. Refer to the Create a transit gateway using Amazon VPC Transit Gateways for details. Update the VPC route table by mapping the TGW attachment. This directs network traffic through the Transit Gateway, facilitating connectivity between Prisma AIRS AI Runtime Firewall and other VPCs. For details, refer to the Create a Transit Gateway using Amazon VPC Transit Gateways. Enable Cross-Zone load balancing to distribute incoming traffic evenly across targets in multiple availability zones.	Enter the following values: PAN OS version for your image from the available list. Flex authentication code (Copy AUTH CODE for the deployment profile you created for AI Runtime Security Firewall in Customer Support Portal). Device Certificate PIN ID. Device Certificate PIN value.	In Management parameters, enter the following: Enable Deploy NAT Gateway to configure egress traffic to exit from the security VPC through security VPC IGW through a NAT gateway (Enable this option to create a NAT gateway). Enable Overlay Routing: Overlay routing, when integrated with your Prisma AIRS AI Runtime Firewall and the AWS Gateway Load Balancer (GWLB), lets you use a two-zone policy to inspect egress traffic from your AWS environment. This allows packets to leave the Prisma AIRS firewall through a different interface than the one they entered through. For a summary of different configurations for handling egress traffic, refer to the Egress Traffic Handling Scenarios on AWS table. This feature is only supported on PAN-OS version 11.2.8 or later. List CIDR ranges to be allowed access to the management interface. The SSH key to be used for login (see how to Create SSH keys). Manage by SCM and then select the SCM folder to group the Prisma AIRS AI Runtime Firewall. Refer to Workflows: Folders - Strata Cloud Manager. Manage by Panorama: For firewall management through Panorama, refer to the section on configuring your firewall to be managed by Panorama.

    Table: Egress Traffic Handling Scenarios on AWS

    This table summarizes the different configurations for handling egress traffic with Prisma AIRS on AWS, comparing the use of overlay routing and NAT gateway.

    	Overlay Routing Enabled	Overlay Routing Disabled
    Deploy NAT Gateway Disabled	Dual-arm architecture (eth1/1 & eth1/2). eth1/2 has a public IP. Direct egress through eth1/2 to the Internal Gateway (IGW). Eliminates NAT gateway costs.	Single-arm architecture (only eth1/1).
    Deploy NAT Gateway Enabled	Dual-arm architecture (eth1/1 & eth1/2). eth1/2 is private (no public IP). Egress through eth1/2 to the NAT Gateway deployed in the security VPC. Avoids public IP costs.	Single-arm architecture (only eth1/1). All traffic goes through the NAT gateway in the security VPC.

12. Select Next.
13. In Review architecture:

    • • Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. (Don't use a hyphen at the beginning or end, and limit the name to under 19 characters).
      • Review the topology for your AI network architecture.
      • Click Create terraform template.
      • Click Download terraform template.
      • Close the deployment workflow to exit.

    Before you deploy the Terraform template, authenticate with the AWS Console. Go to the AWS Marketplace and subscribe. Subscribe to the same image you will use for the AI network intercept and the tag collector.
14. Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
15. Initialize and apply the Terraform for the security_project.

    The security_project contains the Terraform plan to create the AI Runtime Security Firewall architecture.

    cd architecture
    
    cd security_project
    terraform init
    terraform plan
    terraform apply
    

    The `security_project` Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags populate dynamic address groups (DAGs) for automated security enforcement. Refer to the section on Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules for details.
16. Run the application Terraform to peer the application VPCs.

    cd ../application_project
    terraform init
    terraform plan
    terraform apply

    Applying the Terraform for the application_project creates the GWLB endpoints in your AWS account.
17. Configure Strata Cloud Manager or Panorama to secure VM workloads and Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy, routers, and security policy rules.
18. Navigate to Workflows→ NGFW Setup → Device Management. The Prisma AIRS Firewall appears under Cloud Managed Devices.
19. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the deployed Prisma AIRS AI Runtime Firewall licenses.

    It takes a while before the Device Status shows as connected.

    Next, view the threat logs and AI security logs for traffic inspection details.