Deploy Per Application VPC-Based SLR in AWS

1. Log in to Strata Cloud Manager.
2. Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: Network intercept.
3. In the top-right corner, click on the binocular icon.
4. Select a cloud service provider and select Next.

   If you have previously created an SLR deployment, select Add New SLR Deployment on the SLR Monitoring deployment screen.

5. In Regions & Application(s):

   1. Select your cloud account to secure from the onboarded cloud accounts list.
   2. Select a region in which you want to protect the applications.
   3. Click Add New Application/ENIs, and select the application ENIs from the available list.
   4. Select Next.

6. In Deployment Parameters, select Per Application VPC.

   Input the CIDR for each selected application:

   • Enter the CIDR IP address for the management port.
   • Enter the CIDR IP address for the Untrust VPC subnet.
   • In Zone, select the zone where your application resides in the specified VPC ID (these are the available zones in the region you selected earlier).
     You can choose multiple applications within the same VPC.

7. Configure the following:

   IP addressing scheme	Licensing	Management parameters
   Number of firewalls to deploy	Enter the following values: PAN OS version for your image. Flex authentication code (Copy AUTH CODE for the deployment profile you created for Prisma AIRS AI Runtime: Network intercept in Customer Support Portal). Device Certificate PIN ID. Device Certificate PIN value.	In Management parameters, enter the following: List CIDR ranges to be allowed access to the management interface. The SSH key to be used for login (see how to create a key pair for your Amazon EC2 instance). Manage by SCM and then select the SCM folder to group the Prisma AIRS AI Runtime: Network intercept. (See, Workflows: Folders - Strata Cloud Manager). Select the SCM folder with the default configuration snippet - "AIRS-SLR-AWS-default" you created in the prerequisite step from the SLR deployment section.

8. Select Next.
9. Enter a Terraform template name.
10. Click Generate Terraform Template.
11. Click Download Terraform Template and save the zip file.

12. Click Done.
13. Initialize and apply the Terraform for the `security_project` to deploy a standalone SLR per VPC in traffic mirroring mode within the application VPC.

    The security Terraform for the security project creates the Gateway Load Balancer (GWLB) endpoints in your selected application VPC. It also deploys an Auto Scaling Group (ASG) with an SLR in a security VPC. The SLR receives the mirrored traffic from the application ENIs.

    cd architecture
    
    cd security_project
    terraform init
    terraform plan
    terraform apply
    

    To ensure the Per App SLR management interface can connect to the internet through the Internet Gateway(IGW) to function properly in your security VPC, you must manually add the IGW to its route table.

    Configure IGW for SLR firewall management subnet:

    1. Create an Internet Gateway (IGW) in your application VPC if you have not done so already.
       For detailed instructions, refer to the AWS documentation: Create and attach an internet gateway.
    2. Navigate to AWS Console > EC2 > Instances and search for the SLR (AI firewall) instance.
    3. Go to the Networking tab and click on the Subnet ID associated with the management port of the SLR firewall.
    4. In the subnet details, select the Route table tab.
    5. Edit the route table and add a new route:
       • Destination: 0.0.0.0/0
       • Target: Select the IGW you created earlier
    6. Save the changes to update the route table.

14. Navigate to the `application_project` directory, and run the application Terraform to peer the application VPCs.

    This sets up traffic mirroring sessions to direct traffic to the SLR firewall for monitoring.

    cd ../application_project
    terraform init
    terraform plan
    terraform apply

    Next, View and Manage SLR Reports for threat analysis and risk mitigation.