>
    Strata Copilot
    Deploy GWLB-Based SLR in AWS
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Security Lifecycle Review (SLR) for AWS
    5. Deploy GWLB-Based SLR in AWS
    Download PDF
    Prisma AIRS

    Deploy GWLB-Based SLR in AWS

    Table of Contents

    Deploy GWLB-Based SLR in AWS

    Deploy GWLB-based SLR when you want to monitor multiple applications across different VPCs simultaneously.
    Deploy GWLB-based SLR when you want to monitor multiple applications across different VPCs.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Security Risk Assessment in AWS
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights AI Runtime AI Runtime Firewall.
    3. In the top right corner, click on the binocular icon.
    4. Select a cloud service provider and select Next.
      If you have previously created an SLR deployment, select Add New SLR Deployment on the SLR Monitoring deployment screen.
    5. In Regions & Application(s):
      1. Select the cloud account you want to secure.
      2. Select the Region in which you want to protect the applications.
      3. Click Add New Application/ENIs, and select the application’s ENIs.
      4. Select Next.
    6. In Deployment Parameters, select Gateway Load Balancer (GWLB) based deployment.
      1. Enter the configurations to create the GWLB endpoints:
      2. In GWLB Endpoint CIDR: Enter the subnet’s CIDR IP address for each application’s endpoint. Ensure the CIDR is part of the application VPC where you want to monitor traffic.
      3. Configure the following:
        IP addressing schemeLicensingManagement parameters
        • Number of firewalls to deploy.
        • CIDR value for the security VPC. CIDR IP address of the firewall.
        • PAN OS version for your image.
        • Flex authentication code (Copy AUTH CODE for the deployment profile you created for Prisma AIRS AI Runtime: Network intercept in Customer Support Portal).
        • Device Certificate PIN ID.
        • Device Certificate PIN value.
        • List CIDR ranges to be allowed access to the management interface.
        • Enter the SSH key to be used for login (see how to create a key pair for your Amazon EC2 instance).
        • Select Manage by SCM and select the SCM folder to group the Prisma AIRS AI Runtime: Network intercept. (See, Workflows: Folders - Strata Cloud Manager).
          Select the SCM folder with the default configuration snippet - "AIRS-SLR-AWS-default" you created in the prerequisite step from the SLR deployment section.
    7. Select Next.
    8. Enter a Terraform template name.
      Review the network architecture for GWLB-based centralized SLR deployment:
      2 VPC: Application VPC and Security VPC.
      • The GWLB endpoint in the application VPC monitors the mirroring traffic between the application ENIs.
      • GWLB in the security VPC collects the mirrored traffic routed from the GWLB endpoint.
      • SLR is deployed in the security VPC behind GWLB.
      • Interfaces - eth1/1: GWLB transfers the mirrored traffic to the SLR instances through eth1/1.
    9. Click Generate Terraform Template.
    10. Click Download Terraform Template and save the zip file. This saves and downloads the SLR deployment Terraform.
    11. Click Done.
    12. Unzip the downloaded file.
      Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
    13. Initialize and apply the Terraform for the security_project.
      Deploying Terraform for the security project creates the GWLB endpoints in your selected application VPC. The security Terraform deploys an Auto Scaling Group (ASG) in a security VPC with an SLR, the SLR receives the mirrored traffic from application ENIs.
      The security_project contains the Terraform plan to deploy an SLR in traffic mirroring mode in a centralized security VPC behind AWS Gateway Load Balancer (GWLB) with multiple endpoints.
      cd architecture

cd security_project
terraform init
terraform plan
terraform apply
      The output is similar to the below snippet and displays the SLR public IP address.
      Output:
Apply complete! Resources: 6 added, 0 changed, 1 destroyed.
Outputs:

App_inspected_dns_name = []
Gwlb_service = {
"Security_gwlb" = "com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxxxxxxxx"
}
    14. Run the application Terraform to peer the application VPCs. The application Terraform enables packet mirroring at the application workload and exports traffic to SLR.
      cd ../application_project
terraform init
terraform plan
terraform apply
      The output lists the GWLB endpoints and the traffic mirror sessions.
      Next, View and Manage SLR Reports for threat analysis and risk mitigation.

    © 2026 Palo Alto Networks, Inc. All rights reserved.