AI Runtime Security
Deploy AI Runtime Security Instance in Azure
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
Deploy AI Runtime Security Instance in Azure
Add an AI Runtime Security instance in Strata Cloud Manager (SCM) to
generate the Terraform template.
Where Can I Use This? | What Do I Need? |
---|---|
|
This page guides you through deploying a customizable Terraform to add AI Runtime Security instance protection for Azure cloud
resources.
On this page, you will configure an AI Runtime Security instance in SCM, download the
corresponding Terraform configuration, and deploy it in your cloud environment. This
setup will integrate the AI Runtime Security instance into your cloud network
architecture, enabling comprehensive monitoring and protection of your assets.
After onboarding, the SCM Command Center dashboard will show asset
discovery with no AI Runtime Security instance protection deployed.
Unprotected traffic paths to and from apps, models, and the internet are marked in
red until you add firewall protection. For more details, see Discover Your Cloud Resources.
- Log in to SCM.Select Insights → AI Runtime Security.Select Add Protections ("+" icon).Select Cloud Service Provider as Azure and select Next.In Firewall Placement, select one or more traffic flows to inspect.The following table shows the network traffic type the AI Runtime Security instance or the VM-Series firewall can support:
Traffic Type AI Runtime Security instance VM-Series AI Traffic - Traffic between your applications and AI Models ✅ Non-AI Traffic and namespaces (example, kube-system) ✅ Cluster Traffic ✅ Non-AI and non-cluster traffic ✅ ✅ If you select the `kube-system` namespace, the VM-Series firewall option will be grayed out, as only an AI Runtime Security instance can protect these namespaces.Select Next.In Region & application(s):- Select your cloud account to secure from the onboarded cloud accounts list.
- Select a region from the available options.
- In Selected applications, select the applications to secure from the drop-down list.
This list includes application workloads such as namespaces, or vNets. If you select the kube-system namespace, the VM-Series firewall option will be grayed out, as only AI Runtime Security can protect these namespaces.- Enable protection for the vNet by selecting the Added vNet tab
and enter the following:
- A vNet Name (Get the vNet name from Azure portal → Virtual Networks page).
- vNet CIDR (To view the vNet CIDR, go to the Azure portal → Virtual networks and Select your virtual network. Under Settings, click on the Address space to view the CIDR block).
- Azure Resource Group Name.
- Select Submit.
- Select Next.
In Protection Settings:- Select AI Runtime Security. The selection is based on the type of traffic you decided to protect under Firewall Placement in step 5.Enter the number of firewalls to deploy.Select zones to deploy firewalls.Choose the instance type for the security VM (See D-family size series - Azure Virtual Machines for details).Enter the Azure Resource group name.In IP addressing scheme, enter the CIDR of Security vNet.In Licensing:
- Select the Software Version for your image.
- Enter the Flex authentication code.
- Enter the Device Certificate PIN ID.
- Enter the Device Certificate PIN value.
In SCM management parameters:- List CIDR ranges to be allowed access to the management interface.
- Select the SCM folder to group the AI Runtime Security instance. Refer to Workflows: Folders - Strata Cloud Manager.
- Enter the SSH key to be used for login (see how to Create SSH keys in the Azure portal).
Select Next.In Review Architecture screen:- Enter a unique Terraform template name (use only alphanumeric characters and hyphens, avoid using a hyphen at the beginning or end, and limit the name under 19 characters).
- Review the topology for your AI network architecture.
- Click Create terraform template.
- Click Download terraform template.
- Close the deployment workflow to exit.
Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.cd architecture cd security_project terraform init terraform plan terraform apply cd ../application_project terraform init terraform plan terraform applyFor additional security measures to protect your Kubernetes clusters, follow the steps outlined in the Configure SCM to Protect VM Workloads and Kubernetes Clusters page.After the Terraform is deployed, the SCM Command Center dashboard starts discovering the cloud assets and it takes some time to populate the asset data.Refer to Network Traffic Risk Analysis.Select Workflows → NGFW Setup → Device Management.- In Available Devices, select the AI Runtime Security instance and move it to Cloud Managed Devices to be managed by SCM.Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the licenses of the deployed AI Runtime Security instances.It takes a while before the Device Status shows as connected.Configure SCM to Protect VM Workloads and Kubernetes Clusters and deploy pods.