This page guides you through deploying a customizable Terraform to add AI Runtime Security: Network intercept protection for GCP cloud
resources.
On this page, you will configure an AI Runtime Security: Network intercept in Strata
Cloud Manager, download the corresponding Terraform configuration, and deploy it in
your cloud environment. This setup will integrate the AI Runtime Security instance
into your cloud network architecture, enabling comprehensive monitoring and
protection of your assets.
After onboarding, the Strata Cloud Manager Command Center dashboard will
show asset discovery with no AI Runtime Security protection deployed.
Unprotected traffic paths to and from apps, models, and the internet are marked in
red until you add firewall protection. For more details, see Discover Your Cloud Resources.
Select Cloud Service Provider as Google Cloud and select Next.
In Firewall Placement, select one or more traffic flows to
inspect.
The following table shows the network traffic type the AI Runtime Security
instance or the VM-Series firewall can support:
Traffic Type
AI Runtime Security instance
VM-Series
AI Traffic - Traffic between your applications
and AI Models
✅
Non-AI Traffic and namespaces (example,
kube-system)
✅
Cluster Traffic
✅
Non-AI and non-cluster traffic
✅
✅
If you select the `kube-system` namespace,
the VM-Series firewall option will be grayed out, as only an AI Runtime
Security instance can protect these namespaces.
Select Next.
In Region & Applications:
Select your cloud account to secure from the onboarded cloud
accounts list.
Select a region from the available options.
In Selected applications:
Select the applications to secure from the drop-down list.
This list includes application workloads such as namespaces,
or VPCs.
Set the Public IP address of each application by
selecting Auto generate or Input
manually.
Protect the Undiscovered VPC(s) or add a new VPC by
selecting Add VPC and enter the VPC Name,
VPC CIDRs IP address ranges, K8s pod CIDRs
(Optional) IP address ranges, and K8s service CIDRs
(Optional).
Select Submit.
Select Next.
In Protection Settings:
Select an AI Runtime Security instance or VM-Series
firewall type based on the type of traffic you decided to protect under
Firewall Placement in step 5.
Enter the Service account attached to security VM.
Enter the SSH key to be used for login (see how to Create SSH
keys).
Select Next.
In Review Architecture screen:
Enter a unique Terraform template name (use only alphanumeric
characters and hyphens, avoid using a hyphen at the beginning or end,
and limit the name under 19 characters).
Create terraform template.
Save and Download Terraform Template.
Unzip the downloaded file. Navigate to
<unzipped-folder> with 2 directories:
`architecture` and `modules`. Deploy the Terraform templates in your
cloud environment:
cd architecture
cd security_project
terraform init
terraform plan
terraform apply
cd ../application_project
terraform init
terraform plan
terraform apply
After the Terraform is deployed, the Strata Cloud Manager Command Center
dashboard starts discovering the cloud assets and it takes some time to
populate the asset data.
In Available Devices, select the AI Runtime Security instance
and move it to Cloud Managed Devices to be managed by Strata
Cloud Manager.
Switch to the Cloud Managed Devices tab to view and
manage the connected state, the configuration sync state, and the licenses of
the deployed AI Runtime Security instances.
It takes a while before the Device Status shows as
connected.
