AI Runtime Security
GCP
Table of Contents
GCP
AI Runtime Security post deployment configurations in Panorama and GCP
to protect VM workloads and Kubernetes clusters.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
- Configure Interfaces:
- Navigate to Network > Interfaces.
- Configure Ethernet Interfaces: Configure a Layer 3 Interface for eth1/1 and eth1/2:
- Interfaces: eth1/1 and eth1/2
- Location: Specify the location if applicable
- Interface Type: Layer3
- IP Address: Dynamic (DHCP Client)
- Navigate to Network > Interfaces > Loopback:
- In IPv4s, enter the ILB (Internal Load Balancer) private IP address.
- Set Security Zone to trust for eth1/2 and untrust for eth1/1.
- Ensure VR (Virtual Router) is set to default or the same as eth1/2.
- Configure Zones.
- Configure a logical router:
- Create a Logical Router and add the Layer 3 interfaces (eth1/1 and eth1/2).
- Configure a Static Route with the ILB static IP addresses for routing. Use the trust interface gateway IP address.
You don’t have to configure the Virtual router, as advanced routing is enabled by default on AI Runtime Security: Network intercept. - Add a security policy. Set the action to Allow.Ensure the policy allows health checks from the GCP Load Balancer (LB) pool to the internal LB IP from Panorama. Check session IDs to ensure the firewall responds correctly on the designated interfaces.Select Commit → Commit and Push, to push the policy configurations to the AI Runtime Security: Network intercept.
Configurations to Secure VM Workloads
- Configure Static Routes for VPC endpoints.
- For VPC subnet:
- Edit the IPv4 Static Routes and add the route for the VPC IPv4 range CIDR subnets.
- Set the Next Hop as eth1/2.
- Set the Destination as the trust subnet gateway IP from Strata Cloud Manager.
- Update the static route.
Save the Logical Router.
- Push the policy configurations to the AI Runtime Security: Network intercept managed by Panorama (Panorama > Scheduled Config Push).
Configurations to Secure the Kubernetes Clusters
- Add pod and service IP Subnets to AI Runtime Security trust firewall rules:
- Get the IP addresses for pod and service subnets:
- Go to Kubernetes Engine -> Clusters.
- Select a Cluster and copy the Cluster Pod IPv4 and IPv4 Service range IP addresses.
- Follow the AI Runtime Security: Network intercept deployment in GCP to save and download the Terraform template.
- Edit the Terraform template to allow the following IP addresses in your VPC network firewall rules:
- Navigate to the `<unzipped-folder>/architecture/security_project` directory.
- Edit the `terraform.tfvars` file to add the copied IP addresses list
to your `source_ranges`.firewall_rules = { allow-trust-ingress = { name = "allow-trust-vpc" source_ranges = ["35.xxx.0.0/16", "130.xxx.0.0/22", "192.xxx.0.0/16", "10.xxx.0.0/14", "10.xx.208.0/20"] # 1st 2 IPs are for health check packets. Add APP VPC/Pod/Service CIDRs priority = "1000" allowed_protocol = "all" allowed_ports = [] } }
- Apply the Terraform:terraform init terraform plan terraform apply
- Add Static Routes on the logical router for Kubernetes workloads:
- Pod Subnet:
- Edit the IPv4 Static Routes and add a route with the Pod IPv4 range CIDR.
- Set the Next Hop as eth1/2 (trust interface).
- Set the Destination as the trust subnet gateway IP from Panorama.
- Service Subnet
- Edit the IPv4 Static Routes add a route with the IPv4 Service range CIDR.
- Set the Next Hop as eth1/2 (trust interface).
- Set the Destination as the trust subnet gateway IP from Panorama.
- Add source NAT policy outbound traffic:
- Source Zone: Trust
- Destination Zone: Untrust (eth1/1)
- Policy Name: trust2untrust or similar.
- Set the Interface to eth1/1. (The translation happens at
eth1/1).If needed, create a complementary rule for the reverse direction (for example, untrust2trust).
- Push the policy configurations to the AI Runtime Security: Network intercept managed by Panorama (Panorama > Scheduled Config Push).If you have a Kubernetes cluster running, follow the section to install a Kubernetes application with Helm.
Install a Kubernetes Application with Helm
- Change the directory to the Helm folder:cd <unzipped-folder>/architecture/helmGKE Autopilot clusters don’t support Helm deployments due to restrictions on modifying the kube-system namespace.
- Install the Helm chart:helm install ai-runtime-security helm --namespace kube-system --values helm/values.yamlThis creates a container network interface (CNI), but doesn’t protect the container traffic until you annotate the application `yaml` or `namespace`. Restart the existing application pods within the CNI after the `helm` application.
- Verify the Helm installation:#List all Helm releases helm list -A #Ensure the output shows your installation with details such as: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION ai-runtime-security kube-system 1 2024-08-13 07:00 PDT deployed ai-runtime-security-0.1.0 11.2.2
- Check the pod status:kubectl get pods -A #Verify that the pods with names similar to `pan-cni-*****` are present.
- Check the endpoint slices:kubectl get endpointslice -n kube-system #Confirm that the output shows an ILB IP address: NAME ADDRESSTYPE PORTS ENDPOINTS AGE my-endpointslice IPv4 80/TCP 10.2xx.0.1,10.2xx.0.2 12h
- Check the services running in the `kube-system` namespace:kubectl get svc -n kube-system #Ensure that services `pan-cni-sa` and `pan-plugin-user-secret` are listed: NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE pan-cni-sa ClusterIP 10.xx.0.1 <none> 443/TCP 24h pan-plugin-user-secret ClusterIP 10.xx.0.2 <none> 443/TCP 24h
- Annotate the application `yaml` or `namespace` so that the traffic from the new pods is redirected to AI Runtime Security: Network intercept managed by Panorama for inspection.
For example, for all new pods in the “default” namespace:annotations: paloaltonetworks.com/firewall: pan-fwkubectl annotate namespace default paloaltonetworks.com/firewall=pan-fwAny pod deployed with the helm chart in an annotated namespace will be secured and monitored.