Deploy AI Runtime Security: Network Intercept in Azure

Table of Contents

Deploy AI Runtime Security: Network Intercept in GCP

Deploy AI Runtime Security: Network Intercept in AWS

Add an AI Runtime Security: Network intercept in Strata Cloud Manager to generate the Terraform template.

Where Can I Use This?	What Do I Need?
AI Runtime Security: Network intercept deployment in Azure	Onboard Cloud Account in Azure

This page guides you through deploying a Terraform to add AI Runtime Security: Network intercept protection for Azure cloud resources.

On this page, you will configure an AI network intercept in Strata Cloud Manager, download the corresponding Terraform template, and deploy it in your cloud environment. This setup will integrate the AI network intercept in your cloud network architecture, enabling comprehensive monitoring and protection of your assets.

After onboarding the cloud account, the Strata Cloud Manager command center dashboard will show asset discovery with no AI Runtime Security: Network intercept protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.

Log in to Strata Cloud Manager.
Select Insights → AI Runtime Security.
Select Network from the AI Runtime Security drop-down list at the top.
Select Add Protections ("+" icon).
Select Cloud Service Provider as Azure and select Next.

In Firewall Placement, select one or more traffic flows to inspect.

The following table shows the network traffic type the AI Runtime Security: Network intercept or the VM-Series firewall can support:

Traffic Type	AI Runtime Security: Network intercept	VM-Series
AI Traffic - Traffic between your applications and AI Models	✅
Non-AI Traffic and namespaces (example, kube-system)	✅
Cluster Traffic	✅
Non-AI and non-cluster traffic	✅	✅

If you select the `kube-system` namespace, the VM-Series firewall option will be grayed out, as only an AI network intercept can protect these namespaces.

Select Next.
In Region & application(s):
- Select your cloud account to secure from the onboarded cloud accounts list.
- Select a region in which you want to protect the applications.
- In Selected applications, select the applications to secure from the drop-down list.
This list includes application workloads such as namespaces, or vNets. If you select the kube-system namespace, the VM-Series firewall option will be grayed out, as only AI Runtime Security can protect these namespaces.
- Enable protection for the vNet by selecting the Added vNet tab and enter the following:
  - A vNet Name (Get the vNet name from Azure portal → Virtual Networks page).
  - vNet CIDR (To view the vNet CIDR, go to the Azure portal → Virtual networks and Select your virtual network. Under Settings, click on the Address space to view the CIDR block).
  - Azure Resource Group Name.
  - Select Submit.
- Select Next.
In Protection Settings:
1. Select AI Runtime Security. The selection is based on the type of traffic you decided to protect under Firewall Placement in step 5.
2. Enter the number of firewalls to deploy.
3. Select zones to deploy firewalls.
4. Choose the instance type for the security VM (See D-family size series - Azure Virtual Machines for details).
5. Enter the Azure Resource group name.

Configure the following:

IP addressing scheme	Licensing	SCM management parameters
Enter the CIDR of Security vNet.	Software version for your image. Flex authentication code (Copy AUTH CODE for the deployment profile you created for AI Runtime Security: Network intercept in Customer Support Portal). Device Certificate PIN ID. Device Certificate PIN value.	List CIDR ranges to be allowed access to the management interface. Enter the SSH key to be used for login (see how to Create SSH keys). Select Manage by SCM and select the SCM folder to group the AI Runtime Security: Network intercept. Refer to Workflows: Folders - Strata Cloud Manager.

Refer to the Deploy AI Runtime Security: Network Intercept for Panorama Managed Firewall for the Manage by Panorama configurations.

Select Next.
In Review Architecture screen:
- Enter a unique Terraform template name (Use only lowercase letters, numbers, and hyphens. Don't use a hyphen at the beginning or end, and limit the name under 19 characters).
- Review the topology for your AI network architecture.
- Click Create terraform template.
- Click Download terraform template.
- Close the deployment workflow to exit.
Run the following commands in the Azure CLI to accept the AI Runtime Security subscription:
```
az vm image accept-terms --urn publisher:offer:sku:version

az vm image accept-terms --urn paloaltonetworks:airs-flex:airs-byol:versionCode copied to clipboard
 Unable to copy due to lack of browser support.
```
Get the version from the `vmseries_version` value in the Terraform file: `<azure-deployment-terraform-path>/architecture/security_project/terraform.tfvars`
Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
Initialize and apply the Terraform for the security_project.
The security_project contains the Terraform plan to create the AI network intercept (AI firewall) architecture.
```
cd architecture

cd security_project
terraform init
terraform plan
terraform apply
```
Note: After applying the Terraform, note the IP addresses from lbs_external_ips and lbs_internal_ips outputs. You will need these later while configuring Strata Cloud Manager.
The `security_project` Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags are used to populate dynamic address groups (DAGs) for automated security enforcement. Refer Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules for details.
Run the application Terraform to peer the application VNets with the security VNet.
```
cd ../application_project
terraform init
terraform plan
terraform apply
```
The security_project Terraform templates create the resources in the gray box.

The application_project Terraform templates create the peering connections.
The Azure deployment Terraform creates a route table. Use it to direct your outbound traffic to AI network intercept (AI firewall).
Associate the route table created by the deployment Terraform to the subnet of your application to protect your resources and direct outbound traffic through the firewall.
1. In the Azure portal search for and select Virtual networks.
2. Select the virtual network that contains your application subnet.
3. In the virtual network menu bar, choose Subnets.
4. On the Subnets page, select the subnet where your application resources are deployed.
5. In the Route table, choose the route table created by the deployment Terraform. This route table is typically named with a prefix related to your AI Runtime Security deployment.
6. Save.
By associating this specific route table you ensure that all outbound traffic from your application subnet is directed through the AI Runtime Security: network intercept (firewall).
Configure Strata Cloud Manager to Secure VM Workloads and Kubernetes Clusters and deploy pods. Configure interfaces, zones, NAT policy, routers, and security policy rules.
Select Workflows → NGFW Setup → Device Management. The AI Runtime Security: Network intercept appears under Cloud Managed Devices.
Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the licenses of the deployed AI Network intercept (AI firewall).

It takes a while before the Device Status shows as connected.
The AI network intercept deployment Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags are used to populate dynamic address groups (DAGs) for automated security enforcement. Refer harvesting IP-tags for details.

Next, view the threat logs and AI security logs for traffic inspection details.