Azure
Focus
Focus
AI Runtime Security

Azure

Table of Contents


Azure

AI Runtime Security post deployment configurations in Strata Cloud Manager to protect VM workloads and Kubernetes clusters.
Where Can I Use This?What Do I Need?

Configure Strata Cloud Manager

Interfaces

Configure AI Runtime Security (firewall) Interfaces:
  1. Navigate to Manage → Configuration → NGFW and Prisma Access→ Device Settings → Interfaces
  2. Set the Configuration Scope to your AI Runtime Security folder.
  3. Select Add Interface.
    • In the Ethernet tab, configure a Layer 3 Interface for eth1/1(trust) and eth1/2(untrust):
      • Enter Interface Name (Create interfaces for both eth1/1(trust) and eth1/2(untrust) interfaces).
      • Select Layer3Interface type.
      • In Logical Routers, select `vr-private` for eth1/1 and `vr-public` for eth1/2.
      • In Zone, select trust for eth1/1 and untrust for eth1/2.
      • Select DHCP Client type under IPV4 address.
      • Enable IPV4 for both eth1/1 and eth1/2 interfaces.
      • For eth1/2 (untrust) only, enable Automatically create default route pointing to default gateway provided by server.
      • Select Advanced Settings > Other Info.
      • Select a Management Profile swith HTTPS enabled under Administrative Management Services or create a new one:
      • Add.
    • Select the Loopback tab to configure the Loopback interface to receive health checks from each load balancer:
      • Select the Logical Routers.
      • Set the trust Zone for private Logical Router and untrust Zone for the public Logical Router.
      • In the IPv4s section, enter the private IP address of the Internal Load Balancer (ILB).
        This IP address is in the output displayed after successfully deploying the `security_project` Terraform, as described on the Deploy AI Runtime Security: Network Intercept in Azure page.
      • Expand Advanced Settings → Management Profile and add your allow-health-checks profile.
      • Add or Save.

Zones

  1. Navigate to Manage → Configuration → NGFW and Prisma Access→ Device Settings → Zones.
  2. Select Add Zone.
  3. Enter a Name.
  4. Select Layer3 Interface type.
  5. In Interfaces, add $eth1 interface for trust zone and $eth2 interface for untrust zone.
  6. Save.

NAT

Configure the NAT policies for inbound and outbound traffic:
  1. Navigate to Manage → Configuration → NGFW and Prisma Access → Network Policies → NAT.
  2. Configure NAT Policy for inbound traffic:
    1. Enter a Name indicating inbound traffic (for example, inbound-web).
    2. Original Packet:
      • In Source zones, click add and select untrust zone.
    3. Destination:
      • select untrust Zone.
      • Select any Interface.
      • In Addresses, click the add (+) icon and select the public Elastic Load Balancer (ELB) address.
    4. Choose any Service.
    5. Translated Packet:
      • In Translation, select Both.
      • In Source Address Translation, select the Dynamic IP and Port translation type.
      • In choice, select Interface Address.
      • In Interface, select eth1(ethernet1/1).
      • In Choice, select IP address.
      • Set the Static IP address as the Translation Type.
      • Select the destination Translated Address.
    6. Save.
  3. Configure NAT Policy for Outbound traffic:
    1. Enter a Name indicating inbound traffic (for example, outbound-internet).
    2. Original Packet:
      • In Source zones, click add and select trust zone.
      • In Addresses, click the add (+) icon and select the app-vnet and the Kubernetes pods CIDR you want to secure.
    3. Destination:
      • Select untrust destination zone.
      • Select any interface.
    4. Choose any Service.
    5. Translated Packet:
      • In Translation, select Source Address Only.
      • In Source Address Translation, select the Dynamic IP and Port translation type.
      • In choice, select Interface Address.
      • In Interface, select eth2(ethernet1/2).
      • In Choice, select IP address.
    6. Save.

Routers

Configure private and public virtual routers:
Azure health probe fails with a single virtual router (VR). Create multiple VRs to ensure probe success.
  1. Navigate to Manage → Configuration → NGFW and Prisma Access→ Device Settings → Routing.
  2. Enter a Name indicating private and public routers (for example, vr-private and vr-public).
  3. In Interfaces, select eth1(ethernet1/1) for vr-private route and eth2(ethernet1/2) for vr-public route.
    Refer the section on Interfaces to see how to configure the $eth1 and $eth2 interfaces.
  4. In Advanced Settings, select Edit to configure the IPV4 Static Routes for vr-private and vr-public.
    1. Select Add Static Route and add the following routes:
    2. Application routing:
      1. Enter a Name (for example, app-vnet).
      2. In Destination, enter the CIDR address of your application.
      3. In Next Hop:
        • For vr-private, select IP Address and enter the gateway IP address of the private interface (eth1/1) in the IP Address.
          The gateway IP address is the first usable IP in the subnet's range (example, 192.168.1.1 for a /24 subnet). To find it, go to Azure Portal > Virtual Networks > [Your Virtual Network] > Subnets > [Private Subnet].
        • For vr-public, select Next Router and select the `vr-private` in the Next Router.
      4. In Interface, select eth1(ethernet1/1) subnet for `vr-private` and None for `vr-public`.
    3. Default routing:
      1. Enter a Name.
      2. In Destination, enter 0.0.0.0/0.
      3. In Next Hop:
        • For vr-private, select Next Router and enter the `vr-public` in the Next Router.
        • For vr-public, select IP Address and enter the gateway IP address of the vr-public interface (eth1/2) in the IP Address.
      4. In Interface, choose None for `vr-private` and eth2(ethernet1/2) for `vr-public`.
      5. Add or Update.
    4. Azure Load Balancer’s health probe:
      1. Enter a Name.
      2. In Destination, enter the IP address of the Azure Load Balancer’s health probe (168.63.129.16/32).
      3. In Next Hop, select IP Address for vr-private and vr-public.
        • In IP Address, enter the gateway IP address of the corresponding interfaces.
      4. In Interface, select eth1(ethernet1/1) for vr-private and eth2(ethernet1/2) for vr-public.
    5. Add.
  5. Save.
  6. Static routes summary for `vr-private`:
    Route TypeNameDestinationNext HopNext Hop ValueInterface
    Application routingapp-vnetApplication CIDRIP AdderssGateway IP address of vr-privateGateway IP address of vr-private
    Default Routingdefault0.0.0.0/0Next Routervr-publicNone
    Azure LB Health Probeazure-probe168.63.129.16/32IP AddressSubnet Gateway IP addresseth1(ethernet1/1)
  7. Static route summary for `vr-public`:
    Route TypeNameDestinationNext HopNext Hop ValueInterface
    Application routingapp-vnetApplication CIDRNext Routervr-privateeth1(ethernet1/1)
    Default Routingdefault0.0.0.0/0IP AddressGateway IP address of vr-publiceth2(ethernet1/2)
    Azure LB Health Probeazure-probe168.63.129.16/32IP AddressSubnet Gateway IP addresseth2(ethernet1/2)

Security Policy

  1. Add a security policy (Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy → Add Rule).
    Ensure the policy allows health checks from the Azure Load Balancer (LB) pool to the internal LB IP from Strata Cloud Manager. Check session IDs to ensure the firewall responds correctly on the designated interfaces.

Configurations to Secure VM Workloads

  1. Configure routes for vNet endpoints as explained in the Routers section above to ensure there is a route to your application.
  2. Navigate to Manage → Operations → Push Config and push the policy configurations to your firewall (AI Runtime Security: Network interecept).
  3. Create or update the NAT policy (refer to the NAT section above) to secure the VM workloads. Set the source address of the application you want to secure.

Configurations to Secure the Kubernetes Clusters

  1. Configure static routes (refer to the routes section above) on the Logical Router for Kubernetes workloads.
  2. Follow the below configurations for pod and service subnets static routes for pod for the Kubernetes workloads:
    1. Pod Subnet and Service subnet for vr-private:
      Route TypeNameDestinationNext HopNext Hop ValueInterface
      Pod subnetpod_routePod IPV4 range CIDRIP AddressSubnet Gateway IP addresseth1(ethernet1/1)
      Service subnetservice_route172.16.0.0/24IP AddressSubnet Gateway IP addresseth1(ethernet1/1)
    2. Pod Subnet and Service subnet for vr-public:
      Route TypeNameDestinationNext HopNext Hop ValueInterface
      Pod subnetpod_routePod IPV4 range CIDRNext Routervr-privateNone
      Service subnetservice_route172.16.0.0/24Next Routervr-privateNone
  3. Refer to the NAT policy in the above section to secure the Kubernetes clusters and set the source address of the Kubernetes pods CIDR you want to secure.
  4. Navigate to Manage → Operations → Push Config and push the policy configurations to your firewall (AI Runtime Security: Network interecept).

Install a Kubernetes Application with Helm

Follow the below steps to install a Kubernetes application on a Kubernetes cluster.
  1. Change the directory to the Helm folder:
    cd <unzipped-folder>/architecture/helm
  2. Install the Helm chart:
    helm install ai-runtime-security helm --namespace kube-system --values helm/values.yaml
    Enable "Bring your own Azure virtual network" to discover Kubernetes-related vnets:
    1. In Azure Portal, navigate to Kubernetes services → [Your Cluster]→ Settings→ Networking.
    2. Under Network configuration, select Azure CNI as the Network plugin, then enable Bring your own Azure virtual network.
  3. Verify the Helm installation:
    #List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2
  4. Check the pod status:
    kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.
  5. Check the endpoint slices:
    kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12h
  6. Check the services running in the `kube-system` namespace:
    kubectl get svc -n kube-system #Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pan-cni-sa ClusterIP 10.xx.0.1 <none> 443/TCP 24h pan-plugin-user-secret ClusterIP 10.xx.0.2 <none> 443/TCP 24h
  7. Annotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security instance (firewall) for inspection.
    annotations: paloaltonetworks.com/firewall: pan-fw
    For example, for all new pods in the "default" namespace:
    kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw

(Optional) Configure Labels in Your Cloud Environment

The deployment Terraform you generate from Strata Cloud Manager, automatically adds the required labels to organize your AI Runtime Security: network intercept instances.
For manual deployments, ensure you have the following labels (key-value pairs) in your Terraform template.
  1. You need the following labels (key-value pairs) under Tags in the Terraform template file under your downloaded path `<azure|aws-deployment-terraform-path>/architecture/security_project/terraform.tfvars`. The value of these keys must be unique.
    • For GCP:
      • `paloaltonetworks_com-trust`
      • `paloaltonetworks_com-occupied`
    • For Azure and AWS:
      • paloaltonetworks.com-trust
      • paloaltonetworks.com-occupied
  2. Ensure, the network interface name in the security_project Terraform is suffixed by `-trust-vpc`.