AWS

Table of Contents

AI Runtime Security post deployment configurations in Panorama and AWS to protect VM workloads and Kubernetes clusters.

Where Can I Use This?	What Do I Need?
Secure VMs and Kubernetes in Panorama	Deploy AI Runtime Security: Network Intercept in AWS

Configure Panorama

Interfaces

Log in to the Panorama Web Interface.
Navigate to Network > Interfaces.
Set the Configuration Scope to your AI Runtime Security folder.
Select Add Interface.
- In the Ethernet tab, Configure a Layer 3 Interface for eth1/1(trust):
  Enter Interface Name enter eth1/1.
  Select Layer3Interface type.
  In Logical Routers, select `vr-private` for eth1/1.
  In Zone, select trust for eth1/1.
  Select DHCP Client type under IPV4 address.
  Enable IPV4 for both eth1/1.
  Select Advanced Settings > Other Info.
  Select a Management Profile switch HTTPS enabled under Administrative Management Services or create a new one:
  Add.

Zone

Configure Zones (Network → Zones).
Select Add Zone.
Enter a Name.
Select Layer3 Interface type.
In Interfaces, add $eth1 interface for trust zone.
Save.

Security Policy

Add a security policy and set the action to Allow.
Select Commit → Commit and Push, to push the policy configurations to the AI network intercept (AI firewall).

Install a Kubernetes Application with Helm

Follow the below steps to install a Kubernetes application on a Kubernetes cluster by applying the helm chart.

Prerequisites:

Go to your downloaded Terraform template and navigate to `<unzipped-folder>/architecture/helm`.
Apply the Terraform for the `security_project` as shown in the Deploy AI Runtime Security: Network Intercept in AWS.
Deploying the Terraform for the security project creates the GWLB endpoints in your AWS account.
Open the `values.yaml` file found in the path: `<unzipped-folder>/architecture/helm`.

Update the `endpoints1` and `endpoints2` values with your GWLB endpoints IP addresses. Below is a sample `values.yaml` file:

# Default values for ai-runtime-security.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Configure vpc endpoint per zone. This makes sure kubernetes
# traffic is not sent across zone. Endpoints can be added or
# removed based on requirements and zone availability.
# GWLB VPC endpoint zone1 IP address.
endpoints1: ""
endpoints1zone: us-east-1a

# GWLB VPC endpoint zone2 IP address.
endpoints2: ""
endpoints2zone: us-east-1b

# PAN CNI image.
cniimage: gcr.io/pan-cn-series/airs/pan-cni:latest

# Resource namespace name.
namespace: kube-system

# Kubernetes ClusterID value range 1-2048.
clusterid: 1

Apply the helm chart by following the below steps.

Change the directory to the Helm folder:
```
cd <unzipped-folder>/architecture/helm
```
Install the Helm chart:
```
helm install ai-runtime-security helm --namespace kube-system --values helm/values.yaml
```
This creates a container network interface (CNI), but doesn’t protect the container traffic until you annotate the application `yaml` or `namespace`. Restart the existing application pods within the CNI after the `helm` application.

Verify the Helm installation:

#List all Helm releases
helm list -A

#Ensure the output shows your installation with details such as:
NAME                    NAMESPACE      REVISION  UPDATED                   STATUS      CHART                         APP VERSION
ai-runtime-security     kube-system    1         2024-08-13 07:00 PDT      deployed   ai-runtime-security-0.1.0    11.2.2

Check the pod status:

kubectl get pods -A
#Verify that the pods with names similar to `pan-cni-*****` are present.

Check the endpoint slices:

kubectl get endpointslice -n kube-system

#Confirm that the output shows an ILB IP address:
NAME             ADDRESSTYPE PORTS   ENDPOINTS            AGE
my-endpointslice IPv4      80/TCP  10.2xx.0.1,10.2xx.0.2 12h

Check the services running in the `kube-system` namespace:

kubectl get svc -n kube-system

#Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed:
NAME                    TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)        AGE
pan-cni-sa              ClusterIP      10.xx.0.1        <none>         443/TCP        24h
pan-plugin-user-secret  ClusterIP      10.xx.0.2        <none>         443/TCP        24h

Annotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to the AI Runtime Security: Network intercept managed by Panorama for inspection.
```
annotations:       	   	 paloaltonetworks.com/firewall: pan-fw
```
For example, for all new pods in the "default" namespace:
kubectl annotate namespace default paloaltonetworks.com/firewall=pan-fw
Any pod deployed with the helm chart in an annotated namespace will be secured and monitored.

AI Runtime Security Docs

AWS

AI Runtime Security Docs

AWS

Configure Panorama

Interfaces

Zone

Security Policy

Install a Kubernetes Application with Helm

Activation & Onboarding

Next-Generation Firewalls

Network Security

Technical Documentation

Company

Legal Notices