This page guides you through deploying a Terraform plan to add AI Runtime Security: Network intercept protection for GCP cloud
resources.
On this page, you will configure an AI Runtime Security: Network
intercept in Strata Cloud Manager, download the corresponding Terraform template,
and deploy it in your cloud environment. This setup will integrate the AI Runtime Security instance in your cloud network architecture,
enabling comprehensive monitoring and protection of your assets.
After onboarding the cloud account, the Strata Cloud Manager Command
Center dashboard will show asset discovery with no AI Runtime Security protection deployed. Unprotected traffic paths to and from applications, AI
models, and the internet are marked in red until you add firewall protection. For
more details, see Discover Your Cloud Resources.
Select Network from the AI Runtime Security drop-down
list at the top.
Select Add Protections ("+" icon).
Select Cloud Service Provider as Google Cloud and select Next.
In Firewall Placement, select one or more traffic flows to
inspect.
The following table shows the network traffic type the AI Runtime Security instance or the VM-Series firewall can
support:
Traffic Type
AI Runtime Security instance
VM-Series
AI Traffic - Traffic between your applications
and AI Models
✅
Non-AI Traffic and namespaces (example,
kube-system)
✅
Cluster Traffic
✅
Non-AI and non-cluster traffic
✅
✅
If you select the `kube-system` namespace,
the VM-Series firewall option will be grayed out, as only an AI Runtime
Security instance can protect these namespaces.
Select Next.
In Region & Applications:
Select your cloud account to secure from the onboarded cloud
accounts list.
Select a region from the available options.
In Selected applications:
Select the applications to secure from the drop-down list. This list
includes application workloads such as namespaces, or VPCs.
Set the Public IP address of each application by selecting
Auto generate or Input manually.
Protect the Undiscovered VPC(s) or add a new VPC by selecting
Add VPC and enter the VPC Name, VPC CIDRs IP
address ranges, K8s pod CIDRs (Optional) IP address ranges, and
K8s service CIDRs (Optional).
Select Submit.
Select Next.
In Protection Settings:
Select an AI Runtime Security instance or VM-Series
firewall type based on the type of traffic you decided to protect under
Firewall Placement in step 5.
Enter the Service account attached to security VM.
Flex authentication code (Copy AUTH CODE for the deployment profile you
created for AI Runtime Security: Network
intercept in Customer Support Portal).
Enter the SSH key to be used for login (see how to Create SSH
keys).
Select Next.
In Review Architecture screen:
Enter a unique Terraform template name. (Use only lowercase
letters, numbers, and hyphens. Don't use a hyphen at the beginning or
end, and limit the name under 19 characters).
Create terraform template.
Save and Download Terraform Template.
Close the deployment workflow to exit.
Unzip the downloaded file. Navigate to <unzipped-folder>
with 2 directories: `architecture` and `modules`. Deploy the Terraform templates
in your cloud environment following the `README.md` file in the `architecture`
folder.
Initialize and apply the Terraform for the security_project.
The security_project contains the Terraform plan to create the AI Runtime Security: network intercept (AI firewall) instance
architecture. This Terraform plan creates the required resources to deploy
network intercept in-line prevention, including the managed instance groups,
load balancers, and health checks.
cd architecture //Change directory to architecture/security_project
cd security_project
terraform init
terraform plan
terraform apply
The security Terraform generates the following output, record the IP addresses
within the lbs_external_ips &
lbs_internal_ips
outputs.
Select Workflows → NGFW Setup → Device Management. The AI Runtime Security: Network intercept appears under Cloud
Managed Devices.
Switch to the Cloud Managed Devices tab to view and
manage the connected state, the configuration sync state, and the licenses of
the deployed AI Runtime Security: Network intercept
(instances).
It takes a while before the Device Status shows as
connected.
The AI Runtime: Network intercept deployment Terraform also creates an IP-tag
collector service, enabling you to retrieve IP-Tag information from clusters.
These tags are used to populate dynamic address groups (DAGs) for automated
security enforcement. Refer harvesting IP-tags for details.