>
    AWS
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Prisma AIRS AI Runtime: Network Intercept for Panorama Managed Firewall
    5. Configure Panorama to Secure VM Workloads and Kubernetes Clusters
    6. AWS
    Download PDF
    Prisma AIRS

    AWS

    Table of Contents

    AWS

    Prisma AIRS AI Runtime: Network intercept post deployment configurations in Panorama and AWS to protect VM workloads and Kubernetes clusters.
    Where Can I Use This?What Do I Need?
    • Secure VMs and Kubernetes Clusters in Panorama

    Configure Panorama

    Interfaces

    1. Log in to the Panorama Web Interface.
    2. Navigate to Network > Interfaces.
    3. Set the Configuration Scope to your AI Runtime Security folder.
    4. Select Add Interface.
      • In the Ethernet tab, Configure a Layer 3 Interface for eth1/1(trust):
        • In Interface Name, enter eth1/1.
        • Select Layer3Interface type.
        • In Logical Routers, select `vr-private` for eth1/1.
        • In Zone, select trust for eth1/1.
        • Select DHCP Client type under IPV4 address.
        • Enable IPV4 for both eth1/1.
        • Select Advanced Settings > Other Info.
        • Select a Management Profile switch HTTPS enabled under Administrative Management Services or create a new one:
        • Add.

    Zone

    1. Configure Zones (Network → Zones).
    2. Select Add Zone.
    3. Enter a Name.
    4. Select Layer3 Interface type.
    5. In Interfaces, add $eth1 interface for trust zone.
    6. Save.

    Security Policy

    1. Add a security policy and set the action to Allow.
    2. Select Commit → Commit and Push, to push the policy configurations to Prisma AIRS AI Runtime: Network intercept.

    Secure a Kubernetes Application with Helm

    This section covers how to install and configure the Helm chart to secure your Kubernetes applications based on the protection level you selected during deployment.
    The Helm chart installation process and directory structure vary depending on whether you selected VPC-level protection or namespace-level protection with traffic steering inspection. VPC-level protection secures all applications within the VPC, while namespace-level protection with traffic inspection provides granular control over specific application traffic flows and CIDR-based inspection rules.
    Your deployment configuration determines the specific Helm chart structure and commands required for your environment.
    Prerequisites:
    • Go to your downloaded Terraform template and navigate to `<unzipped-folder>/architecture/helm`.
    • Apply Terraform for the `security_project` as shown in the Deploy Prisma AIRS AI Runtime: Network Intercept in AWS.
      Deploying the Terraform for the security project creates the GWLB endpoints in your AWS account.
    • Open the `values.yaml` file found in the path: `<unzipped-folder>/architecture/helm`.
    • Update the `endpoints1` and `endpoints2` values with your GWLB endpoints IP addresses. Below is a sample `values.yaml` file:
      # Default values for ai-runtime-security.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Configure vpc endpoint per zone. This makes sure kubernetes
# traffic is not sent across zone. Endpoints can be added or
# removed based on requirements and zone availability.
# GWLB VPC endpoint zone1 IP address.
endpoints1: ""
endpoints1zone: us-east-1a

# GWLB VPC endpoint zone2 IP address.
endpoints2: ""
endpoints2zone: us-east-1b

# PAN CNI image.
cniimage: gcr.io/pan-cn-series/airs/pan-cni:latest

# Resource namespace name.
namespace: kube-system

# Kubernetes ClusterID value range 1-2048.
clusterid: 1
    • Apply the helm chart by following the below steps.
    1. Navigate to the downloaded tar file and extract the contents:
      tar -xvzf <your-terraform-download.tar.gz>
    2. Navigate to the appropriate Helm directory based on your deployment configuration:
      • For VPC-level security:
        cd <unzipped-folder>/architecture/helm
      • For namespace-level security with traffic steering inspection:
        cd <unzipped-folder>/architecture/helm-<complete-app-name-path>
        Navigate to each Helm application folder. When you configure traffic steering inspection, separate Helm charts are generated for each protected namespace, allowing granular security policies per application.
    3. Install the Helm chart using the appropriate command:
      • For VPC-level security:
        helm install ai-runtime-security helm --namespace kube-system --values helm/values.yaml
      • For namespace-level security with traffic steering inspection:
        helm install ai-runtime-security helm-<complete-app-name-path> --namespace kube-system --values helm-<complete-app-name-path>/values.yaml
        Repeat this command for each namespace-specific Helm chart generated during the deployment process.
      This creates a container network interface (CNI), but doesn’t protect the container traffic until you annotate the application `yaml` or `namespace`.
    4. Verify the Helm installation: 
      #List all Helm releases
helm list -A

#Ensure the output shows your installation with details such as:
NAME                    NAMESPACE      REVISION  UPDATED                   STATUS      CHART                         APP VERSION
ai-runtime-security     kube-system    1         2024-08-13 07:00 PDT      deployed   ai-runtime-security-0.1.0    11.2.2
    5. Check the pod status: 
      kubectl get pods -A
#Verify that the pods with names similar to `pan-cni-*****` are present.
    6. Check the endpoint slices: 
      kubectl get endpointslice -n kube-system

#Confirm that the output shows an ILB IP address:
NAME             ADDRESSTYPE PORTS   ENDPOINTS            AGE
my-endpointslice IPv4      80/TCP  10.2xx.0.1,10.2xx.0.2 12h
    7. Verify the Kubernetes resources were created properly:
      a. Check the service accounts

kubectl get serviceaccounts -n kube-system | grep pan

b. Check the secrets

kubectl get secrets -n kube-system | grep pan

c. Check the services:

`kubectl get svc -n kube-system | grep pan`
      You should see resources like pan-cni-sa (service accounts), pan-plugin-user-secret (secrets), and pan-ngfw-svc (service).
    8. Annotate at the pod level in your application yaml so that the traffic from the pod is redirected to the Prisma AIRS AI Runtime: Network intercept for inspection.
      Annotate the pod using the below command:
      • For VPC-level security:
        kubectl annotate namespace <namespace-to-be-annotated> paloaltonetworks.com/firewall=pan-fw
      • For namespace-level security with traffic steering inspection:
        kubectl annotate pods --all paloaltonetworks.com/subnetfirewall=ns-secure/bypassfirewall
      Ensure every pod has this annotation to be moved to the ‘protected’ state across all cloud environments.
      Restart the existing application pods after applying Helm and annotating the pods for all changes to take effect. This enables the firewall to inspect the pod traffic and secure the containers.

    © 2025 Palo Alto Networks, Inc. All rights reserved.