>
    Strata Copilot
    Private Cluster Discovery
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Discover Your Cloud Resources
    5. Private Cluster Discovery
    Download PDF
    Prisma AIRS

    Private Cluster Discovery

    Table of Contents

    Private Cluster Discovery

    Learn how Private Cluster Discovery helps secure your private Kubernetes clusters
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Firewall
    • AWS
    • Azure
    Private cluster discovery enables you to deploy security components across multiple cloud accounts and secure Kubernetes workloads running in private clusters. Kubernetes clusters are often deployed as private clusters that do not expose the cluster endpoint to the public internet. While this configuration enhances security, it prevents traditional discovery services from accessing cluster information needed for security policy enforcement. Additionally, many organizations require the flexibility to deploy applications and security infrastructure in different cloud accounts to maintain separation of responsibilities between application and security teams. This feature enables you to maintain security visibility and control over private Kubernetes workloads while supporting the organizational and operational requirements of enterprise cloud deployments.
    Private cluster discovery deployment solves these challenges by:
    • Collecting IP and tag information from private Kubernetes clusters using a Tag Collector Agent
    • Enabling deployment of security components in accounts separate from application workloads
    • Providing cross-account resource sharing and communication mechanisms
    • Maintaining centralized visibility and policy enforcement across distributed infrastructure
    The Tag Collector is a lightweight agent that runs within your cloud environment to gather IP and tag information from private Kubernetes clusters. Unlike traditional discovery methods that require direct cluster access, Tag Collector operates within your network perimeter and can reach private cluster endpoints. The tag collector:
    • Automatically discovers and monitors Kubernetes clusters within your environment
    • Collects metadata including labels, annotations, IP addresses, and namespace information
    • Supports both single-account and cross-account deployments
    • Communicates collected data to the Cloud IP-Tag Service via secure channels

    Cross-Account Resource Sharing

    Cross-account resource sharing enables communication and resource access between different cloud accounts in your deployment. This capability uses cloud-native services to securely share networking and security resources across account boundaries.
    AWS
    • Resource Access Manager (RAM): Shares Transit Gateway resources across accounts
    • Gateway Load Balancer (GWLB): Enables cross-account traffic inspection
    • Service Principals: Manages cross-account service access permissions
    Azure
    • Virtual Network Peering: Connects networks across Azure subscriptions
    • Private DNS Zones: Enables name resolution for private cluster endpoints
    • Resource Group Sharing: Provides access to shared networking resources

    Limitations

    • Automatic discovery does not support public or hybrid clusters. You must onboard those clusters manually. Additionally, if you change an onboarded private cluster to public or hybrid, the cluster gets disconnected from Prisma AIRS. If you change the cluster back to private, you must perform a commit to reestablish the connection.
    • You cannot upgrade your tag collector PAN-OS 11.2.10; you must deploy a new tag collector.

    Next Steps

    If Prisma AIRS detects private clusters in your AWS or Azure environment, the Cloud Network Security page displays two notifications. When you login, Prisma AIRS displays a notification in the top right corner. You can click Generate Agent Terraform to begin the deployment process. Additionally, Prisma AIRS lists detected private clusters in the Recommended Actions list.
    To implement private cluster discovery and cross-account deployment:
    1. Plan your architecture: Determine which components will deploy in which accounts based on your organizational structure
    2. Configure account onboarding: Ensure all involved cloud accounts are properly onboarded to Strata Cloud Manager
    3. Deploy the tag collector in your AWS or Azure environment: Configure and deploy Tag Collector with appropriate cross-account permissions
    4. Validate the private cluster discovery: Verify that private cluster assets appear in your asset inventory
    5. Configure Security Infrastructure: Deploy AI Runtime firewalls or VM-Series firewalls with optional cross-account connectivity
    6. Create Security Policies: Define and deploy security policies based on discovered assets

    © 2025 Palo Alto Networks, Inc. All rights reserved.