>
    AWS
    Focus
    Download PDF
    Focus
    1. Home
    2. AI Runtime Security
    3. Administration
    4. Deploy AI Runtime Security Instance in Public Clouds
    5. Configure SCM to Protect VM Workloads and Kubernetes Clusters
    6. AWS
    Download PDF
    AI Runtime Security

    AWS

    Table of Contents

    AWS

    AI Runtime Security post deployment configurations in Strata Cloud Manager (SCM) to protect VM workloads and Kubernetes clusters.
    Where Can I Use This?What Do I Need?
    1. Log in to SCM.
    2. Configure AI Runtime Security instance (firewall) Interfaces:
      1. Select Manage → Configuration → NGFW and Prisma Access.
      2. Select Device Settings → Interfaces.
      3. Set the Configuration Scope to your AI Runtime Security folder.
      4. In Ethernet tab:
        Configure a Layer 3 Interface for eth1/1:
        • Interfaces: eth1/1
        • Location: Specify the location if applicable
        • Interface Type: Layer3
        • IP Address: Dynamic (DHCP Client)
    3. Configure zones:
      • Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Zones.
      • Set Security Zone to trust for eth1/1.
    4. Configure a Logical Router:
      • Create a Logical Router and add the Layer 3 interface (eth1/1).
    5. Add a security policy (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy → Add Rule). Set the action as allow.

    Configurations to Secure VM Workloads

    1. Configure Static Routes for vNet endpoints.
      1. Log in to SCM.
      2. Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.
      3. For vNet Subnet:
        • Edit the IPv4 Static Routes and add the route for the vNet IPv4 range CIDR subnets.
        • Set the Next Hop as eth1/1.
        • Set the Destination as the trust subnet gateway IP from SCM.
        • Update the static route.
        Save the logical router.
    2. Log in to SCM.
    3. Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.

    Configurations to Secure the Kubernetes Clusters

    1. Add static routes on the Logical Router for Kubernetes workloads:
      1. Log in to SCM.
      2. Select Manage → Configuration → NGFW and Prisma Access → Device Settings → Routing → Logical Routers.
      3. Configure Static Routes for the pod and service subnets for the Kubernetes workloads:
        Pod Subnet:
        • Edit the IPv4 Static Routes and add a route with the Pod IPv4 range CIDR.
        • Set the Next Hop as eth1/1 (trust interface).
        • Set the Destination as the trust subnet gateway IP from SCM.
        Service Subnet:
        • Edit the IPv4 Static Routes add a route with the IPv4 Service range CIDR.
        • Set the Next Hop as eth1/1 (trust interface).
        • Set the Destination as the trust subnet gateway IP from SCM.
    2. Add source NAT policy for outbound traffic:
      1. Log in to SCM.
      2. Select Manage → Configuration → NGFW and Prisma Access → Network Policies → NAT.
      3. Create or modify a Source NAT Policy:
        • Source Zone: Trust
        • Destination Zone: Untrust (eth1/1)
        • Policy Name: trust2untrust or similar.
    3. Configure NAT settings:
      Interface Address Section:
      • Set the Interface to eth1/1. (The translation happens at eth1/1).
        If needed, create a complementary rule for the reverse direction (for example, untrust2trust).
    4. Log in to SCM.
    5. Select Manage → Operations → Push Config and push the policy configurations to the AI Runtime Security instance.
      Note: If you have a Kubernetes cluster running, follow the section to install a kubernetes application with Helm.

    Install a Kubernetes Application with Helm

    Follow the below steps to install a Kubernetes application on a Kubernetes cluster by applying the helm chart.
    Prerequisites:
    • Go to your downloaded Terraform template and navigate to `<unzipped-folder>/architecture/helm`.
    • Apply the Terraform for the `security_project` as shown in the AWS deployment workflow.
      Deploying the Terraform for the security project creates the GWLB endpoints in your AWS account.
    • Open the `values.yaml` file found in the path: `<unzipped-folder>/architecture/helm`.
    • Update the `endpoints1` and `endpoints2` values with your GWLB endpoints IP addresses. Below is a sample `values.yaml` file:
      # Default values for ai-runtime-security.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Configure vpc endpoint per zone. This makes sure kubernetes
# traffic is not sent across zone. Endpoints can be added or
# removed based on requirements and zone availability.
# GWLB VPC endpoint zone1 IP address.
endpoints1: ""
endpoints1zone: us-east-1a

# GWLB VPC endpoint zone2 IP address.
endpoints2: ""
endpoints2zone: us-east-1b

# PAN CNI image.
cniimage: gcr.io/pan-cn-series/airs/pan-cni:latest

# Resource namespace name.
namespace: kube-system

# Kubernetes ClusterID value range 1-2048.
clusterid: 1
    • Apply the helm chart by following the below steps.
    1. Change the directory to the Helm folder: 
      cd <unzipped-folder>/architecture/helm
    2. Create the `ai-runtime-security` directory and move the below files to this directory:
      mkdir ai-runtime-security

mv Chart.yaml ai-runtime-security
mv values.yaml ai-runtime-security
mv templates ai-runtime-security
    3. Install the Helm chart: 
      helm install ai-runtime-security ai-runtime-security --namespace kube-system --values ai-runtime-security/values.yaml
    4. Verify the Helm installation: 
      #List all Helm releases
helm list -A

#Ensure the output shows your installation with details such as:
NAME                    NAMESPACE      REVISION  UPDATED                   STATUS      CHART                         APP VERSION
ai-runtime-security     kube-system    1         2024-08-13 07:00 PDT      deployed   ai-runtime-security-0.1.0    11.2.2
    5. Check the pod status: 
      kubectl get pods -A
#Verify that the pods with names similar to `pan-cni-*****` are present.
    6. Check the endpoint slices: 
      kubectl get endpointslice -n kube-system

#Confirm that the output shows an ILB IP address:
NAME             ADDRESSTYPE PORTS   ENDPOINTS            AGE
my-endpointslice IPv4      80/TCP  10.2xx.0.1,10.2xx.0.2 12h
    7. Check the services running in the `kube-system` namespace: 
      kubectl get svc -n kube-system

#Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed:
NAME                    TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)        AGE
pan-cni-sa              ClusterIP      10.xx.0.1        <none>         443/TCP        24h
pan-plugin-user-secret  ClusterIP      10.xx.0.2        <none>         443/TCP        24h
    8. Annotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.
      annotations:       	   	 paloaltonetworks.com/firewall: pan-fw
      For example, for all new pods in the "default" namespace:
      kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw

    © 2024 Palo Alto Networks, Inc. All rights reserved.