AI Runtime Security
AWS
Table of Contents
Expand All
|
Collapse All
AI Runtime Security Docs
AWS
AI Runtime Security post deployment configurations in Strata Cloud Manager to protect
VM workloads and Kubernetes clusters.
Where Can I Use This? | What Do I Need? |
---|---|
|
- Log in to Strata Cloud Manager.Configure AI Runtime Security instance (firewall) Interfaces:
- Select Manage → Configuration → NGFW and Prisma Access.Select Device Settings → Interfaces.Set the Configuration Scope to your AI Runtime Security folder.In Ethernet tab:Configure a Layer 3 Interface for eth1/1:
- Interfaces: eth1/1
- Location: Specify the location if applicable
- Interface Type: Layer3
- IP Address: Dynamic (DHCP Client)
Configure zones:- Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Zones.
- Set Security Zone to trust for eth1/1.
Configure a Logical Router:- Create a Logical Router and add the Layer 3 interface (eth1/1).
Add a security policy (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy → Add Rule). Set the action as allow.Configurations to Secure VM Workloads
- Configure Static Routes for vNet endpoints.
- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.For vNet Subnet:
- Edit the IPv4 Static Routes and add the route for the vNet IPv4 range CIDR subnets.
- Set the Next Hop as eth1/1.
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
- Update the static route.
Save the logical router.Log in to Strata Cloud Manager.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Configurations to Secure the Kubernetes Clusters
- Add static routes on the Logical Router for Kubernetes workloads:
- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.Configure Static Routes for the pod and service subnets for the Kubernetes workloads:Pod Subnet:
- Edit the IPv4 Static Routes and add a route with the Pod IPv4 range CIDR.
- Set the Next Hop as eth1/1 (trust interface).
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
Service Subnet:- Edit the IPv4 Static Routes add a route with the IPv4 Service range CIDR.
- Set the Next Hop as eth1/1 (trust interface).
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
Add source NAT policy for outbound traffic:- Log in to Strata Cloud Manager.Select Manage → Configuration → NGFW and Prisma Access → Network Policies → NAT.Create or modify a Source NAT Policy:
- Source Zone: Trust
- Destination Zone: Untrust (eth1/1)
- Policy Name: trust2untrust or similar.
Configure NAT settings:Interface Address Section:- Set the Interface to eth1/1. (The translation happens at
eth1/1).If needed, create a complementary rule for the reverse direction (for example, untrust2trust).
Log in to Strata Cloud Manager.Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.Note: If you have a Kubernetes cluster running, follow the section to install a kubernetes application with Helm.Install a Kubernetes Application with Helm
Follow the below steps to install a Kubernetes application on a Kubernetes cluster by applying the helm chart. Prerequisites:- Go to your downloaded Terraform template and navigate to `<unzipped-folder>/architecture/helm`.
- Apply the Terraform for the `security_project` as shown in the AWS deployment
workflow. Deploying the Terraform for the security project creates the GWLB endpoints in your AWS account.
- Open the `values.yaml` file found in the path: `<unzipped-folder>/architecture/helm`.
- Update the `endpoints1` and `endpoints2` values with your GWLB endpoints
IP addresses. Below is a sample `values.yaml`
file:# Default values for ai-runtime-security. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Configure vpc endpoint per zone. This makes sure kubernetes # traffic is not sent across zone. Endpoints can be added or # removed based on requirements and zone availability. # GWLB VPC endpoint zone1 IP address. endpoints1: "" endpoints1zone: us-east-1a # GWLB VPC endpoint zone2 IP address. endpoints2: "" endpoints2zone: us-east-1b # PAN CNI image. cniimage: gcr.io/pan-cn-series/airs/pan-cni:latest # Resource namespace name. namespace: kube-system # Kubernetes ClusterID value range 1-2048. clusterid: 1
- Apply the helm chart by following the below steps.
- Change the directory to the Helm folder:cd <unzipped-folder>/architecture/helmCreate the `ai-runtime-security` directory and move the below files to this directory:mkdir ai-runtime-security mv Chart.yaml ai-runtime-security mv values.yaml ai-runtime-security mv templates ai-runtime-securityInstall the Helm chart:helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yamlVerify the Helm installation:#List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2Check the pod status:kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.Check the endpoint slices:kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12hCheck the services running in the `kube-system` namespace:kubectl get svc -n kube-system #Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pan-cni-sa ClusterIP 10.xx.0.1 <none> 443/TCP 24h pan-plugin-user-secret ClusterIP 10.xx.0.2 <none> 443/TCP 24hAnnotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.
For example, for all new pods in the "default" namespace:annotations: paloaltonetworks.com/firewall: pan-fwkubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw