Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Zscaler "Base_cc_lb_zpa" deployment type

This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new Resource Group/VNet with test workload VMs. Full set of resources provisioned listed below. Effectively, this will create all network infrastructure dependencies for an Azure environment. Everything from "Base" deployment type (Creates 1 new Resource Group; 1 VNet with 1 public subnet and 1 private/workload subnet; 1 Centos server workload in the private subnet; 1 Bastion Host in the public subnet assigned a Public IP; and generates local key pair .pem file for ssh access).

Additionally: Creates 2 Cloud Connector private subnets associated to a 2 NAT Gateways; 2 Cloud Connector VMs; Standard Azure Load Balancer; workload private subnet UDR routing to the Load Balancer Frontend IP; Private DNS Resolver, Private DNS Resolver Ruleset, Private DNS Resolver rules based on the number of domains entered, Virtual Network Link for Ruleset, and Outbound Endpoint in a dedicated Outbound DNS subnet.

Caveats/Considerations

  • WSL2 DNS bug: If you are trying to run these Azure terraform deployments specifically from a Windows WSL2 instance like Ubuntu and receive an error containing a message similar to this "dial tcp: lookup management.azure.com on 172.21.240.1:53: cannot unmarshal DNS message" please refer here for a WSL2 resolv.conf fix. microsoft/WSL#5420 (comment).

How to deploy:

Option 1 (guided):

From the examples directory, run the zsec bash script that walks to all required inputs.

  • ./zsec up
  • enter "greenfield"
  • enter "base_cc_lb_zpa"
  • follow the remainder of the authentication and configuration input prompts.
  • script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
  • inputs will be validated and terraform init/apply will automatically exectute.
  • verify all resources that will be created/modified and enter "yes" to confirm

Option 2 (manual):

Modify/populate any required variable input values in base_cc_lb_zpa/terraform.tfvars file and save.

From base_cc_lb_zpa directory execute:

  • terraform init
  • terraform apply

How to destroy:

Option 1 (guided):

From the examples directory, run the zsec bash script that walks to all required inputs.

  • ./zsec destroy

Option 2 (manual):

From base_cc_lb_zpa directory execute:

  • terraform destroy

Requirements

Name Version
terraform >= 0.13.7, < 2.0.0
azurerm >= 3.108.0, <= 3.116
local ~> 2.5.0
null ~> 3.1.0
random ~> 3.3.0
tls ~> 3.4.0

Providers

Name Version
azurerm >= 3.108.0, <= 3.116
local ~> 2.5.0
random ~> 3.3.0
tls ~> 3.4.0

Modules

Name Source Version
bastion ../../modules/terraform-zscc-bastion-azure n/a
cc_identity ../../modules/terraform-zscc-identity-azure n/a
cc_lb ../../modules/terraform-zscc-lb-azure n/a
cc_nsg ../../modules/terraform-zscc-nsg-azure n/a
cc_vm ../../modules/terraform-zscc-ccvm-azure n/a
network ../../modules/terraform-zscc-network-azure n/a
private_dns ../../modules/terraform-zscc-private-dns-azure n/a
workload ../../modules/terraform-zscc-workload-azure n/a

Resources

Name Type
azurerm_private_dns_resolver_virtual_network_link.dns_vnet_link resource
local_file.private_key resource
local_file.testbed resource
local_file.user_data_file resource
random_string.suffix resource
tls_private_key.key resource

Inputs

Name Description Type Default Required
accelerated_networking_enabled Enable/Disable accelerated networking support on all Cloud Connector service interfaces bool true no
arm_location The Azure Region where resources are to be deployed string "westus2" no
azure_vault_url Azure Vault URL string n/a yes
bastion_nsg_source_prefix user input for locking down SSH access to bastion to a specific IP or CIDR range string "*" no
cc_count The number of Cloud Connectors to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate number 2 no
cc_subnets Cloud Connector Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. list(string) null no
cc_vm_managed_identity_name Azure Managed Identity name to attach to the CC VM. E.g zspreview-66117-mi string n/a yes
cc_vm_managed_identity_rg Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. edgeconnector_rg_1 string n/a yes
cc_vm_prov_url Zscaler Cloud Connector Provisioning URL string n/a yes
ccvm_image_offer Azure Marketplace Cloud Connector Image Offer string "zia_cloud_connector" no
ccvm_image_publisher Azure Marketplace Cloud Connector Image Publisher string "zscaler1579058425289" no
ccvm_image_sku Azure Marketplace Cloud Connector Image SKU string "zs_ser_gen1_cc_01" no
ccvm_image_version Azure Marketplace Cloud Connector Image Version string "latest" no
ccvm_instance_type Cloud Connector Image size string "Standard_D2s_v3" no
ccvm_source_image_id Custom Cloud Connector Source Image ID. Set this value to the path of a local subscription Microsoft.Compute image to override the Cloud Connector deployment instead of using the marketplace publisher string null no
domain_names Domain names fqdn/wildcard to have Azure Private DNS redirect DNS requests to Cloud Connector map(any) n/a yes
encryption_at_host_enabled User input for enabling or disabling host encryption bool true no
env_subscription_id Azure Subscription ID where resources are to be deployed in string n/a yes
environment Customer defined environment tag. ie: Dev, QA, Prod, etc. string "Development" no
health_check_interval The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 number 15 no
http_probe_port Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB number 50000 no
lb_enabled Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb_frontend_ip. If false, default route next hop directly to the CC Service IP passed from var.cc_service_ip bool true no
load_distribution Azure LB load distribution method string "Default" no
managed_identity_subscription_id Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env_subscription_id string null no
name_prefix The name prefix for all your resources string "zscc" no
network_address_space VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables string "10.1.0.0/16" no
number_of_probes The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure number 1 no
owner_tag Customer defined owner tag value. ie: Org, Dept, username, etc. string "zscc-admin" no
private_dns_subnet Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network_address_space variable. string null no
probe_threshold The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. number 2 no
public_subnets Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. list(string) null no
reuse_nsg Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances bool "false" no
support_access_enabled If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true bool true no
target_address Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses list(string)
[
"185.46.212.88",
"185.46.212.89"
]
no
tls_key_algorithm algorithm for tls_private_key resource string "RSA" no
workload_count The number of Workload VMs to deploy number 1 no
workloads_subnets Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. list(string) null no
zones Specify which availability zone(s) to deploy VM resources in if zones_enabled variable is set to true list(string)
[
"1"
]
no
zones_enabled Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance bool false no
zpa_enabled Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection bool true no
zssupport_server destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net string "199.168.148.101" no

Outputs

Name Description
testbedconfig Azure Testbed results