This page guides you through deploying a customizable Terraform to add AI Runtime Security: Network intercept protection for Azure cloud
resources.
On this page, you will configure an AI Runtime Security: Network
intercept in Strata Cloud Manager, download the corresponding Terraform template,
and deploy it in your cloud environment. This setup will integrate the AI Runtime Security instance in your cloud network architecture,
enabling comprehensive monitoring and protection of your assets.
After onboarding the cloud account, the Strata Cloud ManagerCommand Center
dashboard will show asset discovery with no AI Runtime Security
instance protection deployed. Unprotected traffic paths to and from apps, models,
and the internet are marked in red until you add firewall protection. For more
details, see Discover Your Cloud Resources.
Select Network from the AI Runtime Security drop-down
list at the top.
Select Add Protections ("+" icon).
Select Cloud Service Provider as Azure and select
Next.
In Firewall Placement, select one or more traffic flows to
inspect.
The following table shows the network traffic type the AI Runtime Security instance or the VM-Series firewall can
support:
Traffic Type
AI Runtime Security instance
VM-Series
AI Traffic - Traffic between your applications
and AI Models
✅
Non-AI Traffic and namespaces (example,
kube-system)
✅
Cluster Traffic
✅
Non-AI and non-cluster traffic
✅
✅
If you select the `kube-system` namespace,
the VM-Series firewall option will be grayed out, as only an AI Runtime
Security instance can protect these namespaces.
Select Next.
In Region & application(s):
Select your cloud account to secure from the onboarded cloud
accounts list.
Select a region from the available options.
In Selected applications, select the applications to secure from
the drop-down list.
This list includes application workloads such as namespaces, or vNets. If you
select the kube-system namespace, the VM-Series firewall option will be grayed
out, as only AI Runtime Security can protect these
namespaces.
Enable protection for the vNet by selecting the Added vNet tab
and enter the following:
A vNet Name (Get the vNet name from Azure portal →
Virtual Networks page).
vNet CIDR (To view the vNet CIDR, go to the Azure portal →
Virtual networks and Select your virtual network.
Under Settings, click on the Address space to view
the CIDR block).
In IP addressing scheme, enter the CIDR of Security
vNet.
In Licensing:
Select the Software Version for your image.
Enter the Flex authentication code (Copy AUTH CODE for
the deployment
profile you created for AI Runtime Security:
Network intercept in Customer Support Portal).
Enter a unique Terraform template name (Use only lowercase
letters, numbers, and hyphens. Don't use a hyphen at the beginning or
end, and limit the name under 19 characters).
Review the topology for your AI network architecture.
Click Create terraform template.
Click Download terraform template.
Close the deployment workflow to exit.
Run the following commands in the Azure CLI to accept the AI Runtime Security subscription:
az vm image accept-terms --urn publisher:offer:sku:version
az vm image accept-terms --urn paloaltonetworks:airs-flex:airs-byol:version
Get
the version from the `vmseries_version` value in the Terraform file:
`<azure-deployment-terraform-path>/architecture/security_project/terraform.tfvars`
Unzip the downloaded file. Navigate to <unzipped-folder>
with 2 directories: `architecture` and `modules`. Deploy the Terraform templates
in your cloud environment following the `README.md` file in the `architecture`
folder.
Initialize and apply the Terraform for the security_project.
The security_project contains the Terraform plan to create the AI Runtime Security: network intercept (AI firewall) instance
architecture.
cd architecture
cd security_project
terraform init
terraform plan
terraform apply
Note: After applying the Terraform, note the IP
addresses from lbs_external_ips and lbs_internal_ips outputs.
You will need these later while configuring Strata Cloud Manager.
Run the application Terraform to peer the application VNets with the security
VNet.
cd ../application_project
terraform init
terraform plan
terraform apply
The security_project Terraform templates create the resources in the gray
box.
The application_project Terraform templates create the peering
connections.
The Azure deployment Terraform creates a route table.
Use it to direct your outbound traffic to the AI Runtime Security: Network
intercept (AI firewall).
Associate the route table created by the deployment Terraform to the subnet of
your application to protect your resources and direct outbound traffic through
the firewall.
In the Azure portal search for and select
Virtual networks.
Select the virtual network that contains your application subnet.
In the virtual network menu bar, choose Subnets.
On the Subnets page, select the subnet where your application resources
are deployed.
In the Route table, choose the route table created by the
deployment Terraform. This route table is typically named with a prefix
related to your AI Runtime Security deployment.
Save.
By associating this specific route table you ensure
that all outbound traffic from your application subnet is directed through
the AI Runtime Security: network intercept (firewall).
Select Workflows → NGFW Setup → Device Management. The AI Runtime Security: Network intercept appears under Cloud
Managed Devices.
Switch to the Cloud Managed Devices tab to view and
manage the connected state, the configuration sync state, and the licenses of
the deployed AI Runtime Security: Network intercept
(instances).
It takes a while before the Device Status shows as
connected.
The AI Runtime: Network intercept deployment Terraform also creates an IP-tag
collector service, enabling you to retrieve IP-Tag information from clusters.
These tags are used to populate dynamic address groups (DAGs) for automated
security enforcement. Refer harvesting IP-tags for details.
