This page guides you through deploying a customizable Terraform to add
AI Runtime Security
instance protection for GCP cloud resources.
On this page, you'll configure an AI Runtime Security instance in SCM, download the
corresponding Terraform configuration, and deploy it in your cloud environment. This
setup will integrate the AI Runtime Security instance into your cloud network
architecture, enabling comprehensive monitoring and protection of your assets.
After onboarding, the SCM Command Center dashboard will show asset
discovery with no
AI Runtime Security
instance protection deployed.
Unprotected traffic paths to and from apps, models, and the internet are marked in
red until you add firewall protection. For more details see Discover Your Cloud Resources.
The following table shows the network traffic type the AI Runtime Security
instance or the VM-Series firewall can support:
Traffic Type
AI Runtime Security instance
VM-Series
AI Traffic - Traffic between your applications
and AI Models
✅
Non-AI Traffic and namespaces (example,
kube-system)
✅
Cluster Traffic
✅
Non-AI and non-cluster traffic
✅
✅
If you select the `kube-system` namespace,
the VM-Series firewall option will be grayed out, as only AI Runtime
Security instance can protect these namespaces.
Select
Next
.
In
Region & Applications
:
Select your cloud account to secure
from the onboarded cloud
accounts list.
Select a region
from the available options.
In
Selected applications
:
Select the applications to secure from the drop-down list.
This list includes application workloads such as namespaces,
or VPCs.
Set the
Public IP address
of each application by
selecting
Auto generate
or
Input
manually
.
Protect the
Undiscovered VPC(s)
or add a new VPC by
selecting
Add VPC
and enter the
VPC Name
,
VPC CIDRs
IP address ranges,
K8s pod CIDRs
(Optional) IP address ranges, and
K8s service CIDRs
(Optional).
Select
Submit
.
Select
Next
.
In
Protection Settings
:
Select
AI Runtime Security
instance or
VM-Series
firewall
type based on the type of traffic you decided to protect under
Before you deploy the Terraform template, create a GCP service
identity. Execute the following command in the gcloud CLI to create
the necessary service identity for your project. This step is
required to successfully launch the AI Runtime Security Terraform
template.
that has 2 directories:
`architecture` and `modules`. Deploy the Terraform templates in your
cloud environment:
cd architecture
cd security_project
terraform init
terraform plan
terraform apply
cd ../application_project
terraform init
terraform plan
terraform apply
Provide the required IAM Permissions to
the user executing the Terraform template.
After the Terraform is deployed, the SCM Command Center dashboard starts
discovering the cloud assets and it takes some time to populate the
asset data.