Secure AI Agents with Langflow, Vault, Prisma AIRS on AWS EKS
Learn how Langflow, Vault, and Prisma AIRS can work together to build secure, compliant AI agent flows with built-in guardrails.
Author(s): Oscar Medina, Polina Jastrzebska, Ryan Anderson, René Ugarte
Building AI-powered agents is no longer just about connecting models and APIs - it’s about ensuring security, compliance, and trust from the very beginning. In this post, we’ll walk through a pattern implemented in Langflow. We showcase how DataStax Langflow, HashiCorp Vault, and Palo Alto Networks Prisma AIRS can be integrated to deliver an AI workflow that is both functional and enterprise-ready to be deployed on AWS Elastic Kubernetes Service (EKS). We’ve put together a proof-of-concept repository that demonstrates this integration pattern in practice.
»Langflow: A visual framework for agentic AI development
At the heart of the setup is Langflow, a visual programming interface that makes it simple to design agent flows and orchestrate large language model (LLM) interactions. Its drag-and-drop interface transforms complex AI orchestration into an intuitive process in a no-code or low-code manner, or in combination. Unlike traditional pro-code approaches, Langflow enables developers and business teams to construct sophisticated AI agents through a node-based system where each component represents a specific function; from LLM calls and data processing to decision logic and a myriad of third-party integrations. This visual paradigm is particularly powerful for agentic flows because it allows developers to clearly map out the decision trees, feedback loops, and multi-step reasoning chains that define intelligent agent behavior, making complex AI workflows both comprehensible and maintainable.
The platform is especially suited for use cases that require dynamic, context-aware AI interactions and multi-step processing pipelines. Customer support automation benefits from Langflow’s ability to chain together intent recognition, knowledge base queries, and response generation with human handoff logic (a.k.a. human-in-the-loop). Content generation workflows leverage its strength in orchestrating research, synthesis, and refinement steps with multiple LLM calls and validation checkpoints. Data analysis applications particularly shine when combining Langflow’s visual flow design with structured and unstructured data processing. Enabling agents that can query databases, analyze results, generate insights, and create reports autonomously. Research and documentation workflows also benefit from Langflow’s ability to coordinate web scraping, information synthesis, and structured output.
Langflow’s integration capabilities are where its enterprise readiness truly stands out, especially through its strategic partnership with AWS. Native support for Amazon Bedrock enables seamless access to foundation models from Anthropic, Meta, Cohere, and others, while integration with AWS Lambda, Amazon S3, and Amazon SageMaker allows Langflow agents to interact with serverless functions, scalable storage, and custom model endpoints. These integrations make it easy to embed Langflow into existing AWS architectures, accelerating deployment and operationalization of agentic AI solutions. Vector databases such as IBM’s DataStax Astra DB and many others are available to serve as the core of many Retrieval Augmented Generation (RAG) and agentic AI flows. Not to mention custom API connections are as easily done to access first-party, private, and public third-party endpoints to help meet the application’s use case requirements. This extensibility is crucial for enterprise agentic applications that need to interact with existing business systems, CRM platforms, databases, supply chain systems of truth, Internet of Things (IoT) devices, workflow management tools, and so much more. The combination of visual development, robust integrations with open and closed source services, and production-ready deployment options positions Langflow as the ideal bridge between experimental and proof of AI concepts to scalable, business-critical agentic solutions in production.
»Enforce compliance and safety with Prisma AIRS
To enforce trust and compliance, Prisma AIRS is layered into the Langflow pattern. Every user input and LLM output is scanned for malicious, harmful, or non-compliant content before reaching its destination. Whether it’s catching a phishing URL or preventing unsafe instructions from propagating, Prisma AIRS acts as the guardrail that keeps interactions safe without breaking the flow of conversation.
»What is Prisma AIRS?
Prisma AI Runtime Security is Palo Alto Networks’ solution for securing AI applications at runtime. Instead of relying only on static policies or offline testing, AIRS monitors AI interactions in real time, detecting and intercepting threats as they occur. It adds a security layer purpose-built for AI-driven systems, covering risks such as data leakage, malicious payloads, jailbreak attempts, and non-compliant outputs.
»Why should organizations use Prisma AIRS for agentic flows?
As organizations adopt agentic flows where LLMs can autonomously call external tools, APIs, and engage other systems, the security stakes get higher. These agents aren’t just generating text - they are taking action on behalf of users and enterprises. Without runtime guardrails, a single unsafe instruction could expose sensitive data, trigger harmful actions, or create compliance violations. Prisma AIRS ensures that every interaction is continuously validated, giving teams the confidence to deploy AI safely in enterprise environments.
The result is an AI agent architecture that not only works but also respects enterprise-grade requirements for security, compliance, and flexibility. In our proof-of-concept, Prisma AIRS is used for API Intercept: before being sent to the LLM, each prompt is scanned by Prisma AIRS. If the verdict is malicious, nothing is sent - the request is blocked. The same applies to the output, ensuring harmful responses are intercepted before reaching the user.
»Prevent secret sprawl with HashiCorp Vault
In the creation of agentic flows, applications often need to send requests to external systems. This usually requires providing multiple sets of credentials inside Langflow. Managing these secrets securely is critical, and that’s where HashiCorp Vault comes in. Vault provides a robust way to store and manage sensitive values such as API keys, passwords, and access tokens.
Instead of hardcoding sensitive credentials, Langflow connects directly to HashiCorp Vault, ensuring API keys and secrets are securely managed and injected at runtime. This eliminates secret sprawl - the uncontrolled duplication of credentials across environments - and reduces the risk of credentials leaking into code or logs.
Since Langflow flows are exported as JSON files, there’s a real risk of embedding sensitive values directly into the exported configuration. If those files are later shared, uploaded to collaboration tools, or committed to Git repositories, the secrets inside become exposed. Once committed, even briefly, secrets are extremely hard to fully remove since they remain in the commit history and may already be cloned or mirrored. Attackers actively scan public repositories for leaked credentials, and even private repos can be compromised. This makes secret sprawl through exported flows and Git commits a serious vulnerability, underscoring the importance of using HashiCorp Vault for runtime injection instead of hardcoding.
HashiCorp Vault directly addresses this concern by ensuring secrets are never embedded in Langflow exports or exposed to the LLM. All secrets stored in Vault are encrypted at rest and in transit, protecting them even if storage media or network traffic is compromised. When Langflow requests a secret, Vault injects it securely at runtime without ever persisting it in flow files. Just as importantly, the LLM inside the agent never sees the raw credential - it only receives the results of the API call made on its behalf. This design prevents sensitive values like API keys or tokens from leaking into prompts, or downstream outputs, significantly reducing the risk of exposure.
»Production deployment on AWS EKS
This blog post assumes you already have provisioned your Amazon EKS cluster using the tooling of your choice. We will focus on the deployment of the Langflow app and showcasing how it retrieves secrets from Vault.
For production deployments, this architecture leverages Amazon EKS (Elastic Kubernetes Service). Running on EKS provides scalability, resiliency, and enterprise-level orchestration—ensuring that as AI agents move from proof-of-concept to production, they can handle real-world workloads while remaining secure and compliant.
By combining visual orchestration (Langflow), secure secret management (Vault), runtime content protection (Prisma AIRS), and the scalability of AWS EKS, this project demonstrates what a truly secure-by-design AI workflow can look like in enterprise environments.
Langflow excels as a visual development environment for designing and testing agentic workflows—allowing developers to rapidly iterate on LLM chains, tool integrations, and memory patterns. However, in enterprise settings, these prototypes must evolve into secure, observable, and scalable services before they can be trusted in production.
That’s where Amazon EKS comes in. Rather than running Langflow as a standalone desktop or notebook application, containerize it for deployment on EKS. This transforms the Langflow flow into a stateless, API-driven microservice that:
Scales automatically under load
Integrates with enterprise identity and secret management (via HashiCorp Vault)
Is protected at runtime by AI-specific security controls (via Prisma AIRS)
Runs on infrastructure that meets compliance and availability requirements
In this architecture, Langflow is the design-time interface—the “blueprint” for the agent—while EKS hosts the runtime execution environment. The two are connected through code generation and CI/CD: once a flow is validated in Langflow, it’s exported, version-controlled, containerized, and deployed to EKS as part of a secure software delivery pipeline.
This pattern ensures that the agility of Langflow doesn’t come at the cost of security or operational rigor—giving teams the best of both worlds: developer velocity + enterprise trust.
NOTE: Because HCP Vault Dedicated runs in an AWS account, it integrates natively with EKS over private networking—enabling low-latency, secure secret delivery without traversing the public internet. To learn more on this configuration, please see Configure AWS Private Link.
» Deploy HCP Vault Dedicated cluster
Use HCP Vault Dedicated as the recommended solution for secrets management in production environments, due to critical advantages that address enterprise security, operational efficiency, and scalability.
Provision a cluster.
Enable the K/V secrets engine. Read more about managing HCP Vault Dedicated.
Store LLM and Prisma AIRS credentials at the appropriate path expected by Langflow components.
»Architecture overview - Langflow IDE and runtime separation on EKS
The architecture used in this deployment follows Langflow’s recommended separation between development (IDE) and production (runtime) environments. This pattern ensures that agentic flows can be designed, tested, and validated in a secure and iterative manner before being deployed as scalable, headless services on Amazon EKS.
Development: Langflow IDE
In the development phase, Langflow is deployed with both its visual editor (frontend) and API server (backend). This environment is used by developers and solution architects to visually design agent workflows, integrate third-party tools, and test logic chains. The IDE supports rapid iteration and debugging, making it ideal for prototyping and experimentation.
Frontend: Drag-and-drop interface for building flows.
Backend: Executes flow logic and handles API interactions.
Storage: External PostgreSQL for flow data and history.
Use case: Internal development, testing, and validation.
Production: Langflow runtime
Once a flow is validated, it is exported and deployed as a headless runtime service on EKS. This production deployment runs only the Langflow backend, exposing flows as API endpoints without the visual editor. It is optimized for performance, security, and scalability.
Backend-only: Runs with --backend-only flag.
External PostgreSQL: Shared with IDE for consistency.
Secrets via Vault: Injected securely at runtime.
Security: Prisma AIRS scans inputs/outputs for malicious content.
Use case: Serving agentic flows in production with enterprise-grade controls.
This hybrid architecture allows teams to iterate quickly while maintaining operational rigor and security—fully aligned with Langflow’s recommended deployment architecture.
NOTE: For the purpose of this post, we are deploying the “Development: Langflow IDE” environment. For the production environment, you want to ensure you provision storage (PostgreSQL) and deploy using the --backend-only flag.
»Package flow as Docker image and deploy to EKS
Langflow provides a powerful visual interface for designing agentic workflows, but production deployment requires packaging these flows into a containerized service. This section walks through the steps to export, structure, build, and deploy Langflow flows on Amazon EKS using Docker.
»Export Langflow flow to JSON
Once your flow is finalized in Langflow:
Open the Langflow UI.
Click Share → Export.
Save the exported JSON file locally.
This file represents the logic of your agent and will be placed in the /flows directory of your application.
Create app directory structure
Follow Langflow’s recommended directory structure (Langflow Doc).
app/
├── docker.env
├── Dockerfile
├── flows/
│ ├── LangFlow_POT-PrismaAIRS-Vault.json
│ └── flow2.json
├── langflow-config/
│ └── pyproject.toml
├── README.md
flows/: Contains exported flow JSON files.
langflow-config/: Holds configuration files, logs, and database.
docker.env: Defines environment variables for Langflow runtime.
pyproject.toml: Specifies additional Python dependencies (e.g., hvac for Vault integration).
»Build Docker image
The Dockerfile uses the specific version of the Langflow image as shown below. The Dockerfile also includes dependencies needed by Langflow, such as hvac - the Python client for HashiCorp Vault. You can run the Docker image with full UI support, or just as a backend by specifying the --backend-only flag.
# Use the latest version of the base Langflow image
FROM langflowai/langflow:1.5.0
# Create folders and set the working directory in the container
RUN mkdir /app/flows
RUN mkdir /app/langflow-config
RUN uv pip install hvac==2.3.0
RUN pip install --no-cache-dir hvac==2.3.0
WORKDIR /app
# Copy flows, langflow-config, and docker.env to the container
COPY flows /app/flows
COPY langflow-config /app/langflow-config
COPY docker.env /app/docker.env
# Optional: Copy custom components to the container
#COPY components /app/components
# Optional: Use custom dependencies
COPY pyproject.toml /app/
# Set environment variables if not set in docker.env
ENV PYTHONPATH=/app
ENV LANGFLOW_LOAD_FLOWS_PATH=/app/flows
ENV LANGFLOW_CONFIG_DIR=/app/langflow-config
ENV LANGFLOW_COMPONENTS_PATH=/app/components
ENV LANGFLOW_LOG_ENV=container
# Command to run the Langflow server on port 7860
EXPOSE 7860
# serve with langflow backend only.
#CMD ["langflow", "run", "--backend-only", "--env-file","/app/docker.env","--host", "0.0.0.0", "--port", "7860"]
#test with both backend and UI
CMD ["langflow", "run", "--env-file","/app/docker.env","--host", "0.0.0.0", "--port", "7860"]
Next, we will build the Docker image that eventually is stored in Amazon ECR, which our deployment manifest will reference. With a single command executed within the app/ folder, we build and push the image with a specific architecture to ECR.
NOTE: Most environments will have a mature image building pipeline. The build example in this blog post is not meant to be a mature approach to building images at scale. If you wish to have a mature image bakery CI/CD pipeline, please review this documentation.
# build and push in one step (this is executed on MacOs using buildx)
docker buildx build \
--no-cache \
--platform linux/amd64 \
-t 865855451418.dkr.ecr.us-east-2.amazonaws.com/langflow:latest \
--push \
»Deploy App to EKS
To deploy our solution, we’ll begin by defining a Kubernetes Deployment to manage the application’s lifecycle—handling scaling, updates, and availability. For this exercise, we’ll skip creating a Kubernetes Service to expose the app externally. Instead, we’ll use port-forwarding to securely test and interact with the application from our local machine.
With the Docker image now stored in Amazon ECR, we’re ready to deploy to Amazon EKS. We’ve disabled Langflow telemetry for simplicity during this exercise. However, in a production environment, enabling telemetry is strongly recommended to gain insights into performance, monitor system health, and track errors effectively.
NOTE: Please ensure you modify the ECR URI in the manifest shown below.
apiVersion: apps/v1
kind: Deployment
metadata:
name: langflow-pokedex
namespace: hashi-lang-app
labels:
app: langflow-pokedex
spec:
replicas: 3
selector:
matchLabels:
app: langflow-pokedex
template:
metadata:
labels:
app: langflow-pokedex
spec:
containers:
- name: langflow-pokedex
image: <REPLACE WITH URI OF YOUR ECR IMAGE>
ports:
- containerPort: 7860
env:
- name: PORT
value: "7860"
- name: LANGFLOW_TELEMETRY_ENABLED
value: "false" # ← Add this
resources:
requests:
memory: "1Gi" # ← Increase from 512Mi
cpu: "250m"
limits:
memory: "2Gi" # ← Increase from 1Gi (double it to start)
cpu: "500m"
imagePullPolicy: IfNotPresent
Let’s create a namespace in EKS to deploy the app and forward the port to access the UI
kubectl create ns hashi-lang-app
kubectl apply -f manifests/deployment.yaml
kubectl port-forward -n hashi-lang-app deployment/langflow-agent 7860:7860
At this point, we have the app running and accessible via http://localhost:7860.
»Handling global parameters like Vault_token and Prisma_Profile
Before we test our flow via a curl command, we need to set some global parameters. Langflow supports global variables that can be reused across flows and components. These are ideal for credentials like Vault_token and Prisma_Profile.
You can define them manually in the Langflow UI:
Click your profile icon → Settings → Global Variables.
Click Add New.
Enter the variable name and value.
Optionally, select a type (Generic or Credential) and apply it to specific fields.
Langflow also supports sourcing global variables from environment variables. For example, setting VAULT_TOKEN or PRISMA_PROFILE in your Docker environment will automatically populate them as global variables.
For more details, refer to Langflow’s Global Variables documentation.
»Testing to ensure Prisma AIRS rejects malicious content
Now that we’ve successfully called our Langflow application. Let’s test to ensure Prisma AIRS rejects any malicious input. To do this, we add a malicious URL as the input via a curl command:
curl --request POST \
--url 'http://localhost:7860/api/v1/run/d8ce3af0-db6e-4f97-876c-9869df127187?stream=true' \
--header 'Content-Type: application/json' \
--data '{
"input_value": "Summarize the content of this page http://secure-login.example.com@phishing-site.evil.com/verify?session=123456&redirect=bank.com",
"output_type": "chat",
"input_type": "chat",
"session_id": "question_test_request"
}' \
| jq 'select(.event == "end")'
And the expected response looks as follows, note how the response explicitly says PRISMA has blocked the request due to established guardrails.
{
"event": "end",
"data": {
"result": {
"session_id": "question_test_request",
"outputs": [
{
"inputs": {
"input_value": "Summarize the content of this page http://secure-login.example.com@phishing-site.evil.com/verify?session=123456&redirect=bank.com"
},
"outputs": [
{
"results": {
"message": {
"text_key": "text",
"data": {
"timestamp": "2025-10-02 21:58:24 UTC",
"sender": "Machine",
"sender_name": "AI",
"session_id": "question_test_request",
"text": "** Blocked Due to PRISMA API Guardrail ** The URL is categorized as malicious.\n",
"files": [],
"error": false,
"edit": false,
"properties": {
"text_color": "",
"background_color": "",
"edited": false,
"source": {
"id": "Agent-38bp3",
"display_name": "Agent",
"source": "models/gemini-2.0-flash-001"
},
"icon": "bot",
"allow_markdown": false,
"positive_feedback": null,
"state": "complete",
"targets": []
},
"category": "message",
"content_blocks": [
{
"title": "Agent Steps",
"contents": [
{
"type": "text",
"duration": 1,
"header": {
"title": "Input",
"icon": "MessageSquare"
},
"text": "**Input**: Summarize the content of this page http://secure-login.example.com@phishing-site.evil.com/verify?session=123456&redirect=bank.com"
},
{
"type": "tool_use",
"duration": 596,
"header": {
"title": "Executed **make_api_request**",
"icon": "Hammer"
},
"name": "make_api_request",
"tool_input": {
"dynamic_body": "{\n \"metadata\": {\n \"ai_model\": \"Google GEMINI 2.0 Flash - Test AIRS with Langflow\",\n \"app_name\": \"PineCone Test\",\n \"app_user\": \"LANGFLOW - Agent Instructions\"\n },\n \"contents\": [\n {\n \"prompt\": \"Summarize the content of this page http://secure-login.example.com@phishing-site.evil.com/verify?session=123456&redirect=bank.com\"\n }\n ],\n \"ai_profile\": {\n \"profile_name\": \"Acorn-Security-Profile\"\n }\n}"
},
"output": {
"source": "https://service.api.aisecurity.paloaltonetworks.com/v1/scan/sync/request",
"status_code": 200,
"response_headers": {
"content-type": "application/json",
"date": "Thu, 02 Oct 2025 21:58:26 GMT",
"content-length": "439",
"x-request-id": "a4ba79e9-8d41-4dde-bcfc-81cb22254ec3",
"via": "1.1 google"
},
"result": {
"action": "block",
"category": "malicious",
"profile_id": "0ea76590-c497-4ecc-925a-28e5760f10ad",
"profile_name": "Acorn-Security-Profile",
"prompt_detected": {
"agent": false,
"dlp": false,
"injection": false,
"malicious_code": false,
"toxic_content": false,
"url_cats": true
},
"report_id": "Rb0292bb6-e182-433c-b031-cfd47f4d6a9b",
"response_detected": {},
"scan_id": "b0292bb6-e182-433c-b031-cfd47f4d6a9b",
"source": "AI-Runtime-API",
"tool_detected": {},
"tr_id": ""
}
},
"error": null
},
{
"type": "text",
"duration": 696,
"header": {
"title": "Output",
"icon": "MessageSquare"
},
"text": "** Blocked Due to PRISMA API Guardrail ** The URL is categorized as malicious.\n"
}
],
"allow_markdown": true,
"media_url": null
}
.....
}
This pattern eliminates secret sprawl, enforces least privilege, and aligns with HashiCorp’s secure-by-default philosophy.
Combined with Prisma AIRS for runtime AI protection, the solution is now a robust, full-stack, enterprise-ready AI agent architecture.
