This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new Resource Group/VNet with test workload VMs. Full set of resources provisioned listed below. Effectively, this will create all network infrastructure dependencies for an Azure environment. Everything from "Base" deployment type (Creates 1 new Resource Group; 1 VNet with 1 public subnet and 1 private/workload subnet; 1 Centos server workload in the private subnet; 1 Bastion Host in the public subnet assigned a Public IP; and generates local key pair .pem file for ssh access).
Additionally: Creates 2 Cloud Connector private subnets associated to a 2 NAT Gateways; 2 Cloud Connector VMs; Standard Azure Load Balancer; workload private subnet UDR routing to the Load Balancer Frontend IP; Private DNS Resolver, Private DNS Resolver Ruleset, Private DNS Resolver rules based on the number of domains entered, Virtual Network Link for Ruleset, and Outbound Endpoint in a dedicated Outbound DNS subnet.
- WSL2 DNS bug: If you are trying to run these Azure terraform deployments specifically from a Windows WSL2 instance like Ubuntu and receive an error containing a message similar to this "dial tcp: lookup management.azure.com on 172.21.240.1:53: cannot unmarshal DNS message" please refer here for a WSL2 resolv.conf fix. microsoft/WSL#5420 (comment).
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_cc_lb_zpa"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_cc_lb_zpa/terraform.tfvars file and save.
From base_cc_lb_zpa directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From base_cc_lb_zpa directory execute:
- terraform destroy
Name | Version |
---|---|
terraform | >= 0.13.7, < 2.0.0 |
azurerm | >= 3.108.0, <= 3.116 |
local | ~> 2.5.0 |
null | ~> 3.1.0 |
random | ~> 3.3.0 |
tls | ~> 3.4.0 |
Name | Version |
---|---|
azurerm | >= 3.108.0, <= 3.116 |
local | ~> 2.5.0 |
random | ~> 3.3.0 |
tls | ~> 3.4.0 |
Name | Source | Version |
---|---|---|
bastion | ../../modules/terraform-zscc-bastion-azure | n/a |
cc_identity | ../../modules/terraform-zscc-identity-azure | n/a |
cc_lb | ../../modules/terraform-zscc-lb-azure | n/a |
cc_nsg | ../../modules/terraform-zscc-nsg-azure | n/a |
cc_vm | ../../modules/terraform-zscc-ccvm-azure | n/a |
network | ../../modules/terraform-zscc-network-azure | n/a |
private_dns | ../../modules/terraform-zscc-private-dns-azure | n/a |
workload | ../../modules/terraform-zscc-workload-azure | n/a |
Name | Type |
---|---|
azurerm_private_dns_resolver_virtual_network_link.dns_vnet_link | resource |
local_file.private_key | resource |
local_file.testbed | resource |
local_file.user_data_file | resource |
random_string.suffix | resource |
tls_private_key.key | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
accelerated_networking_enabled | Enable/Disable accelerated networking support on all Cloud Connector service interfaces | bool |
true |
no |
arm_location | The Azure Region where resources are to be deployed | string |
"westus2" |
no |
azure_vault_url | Azure Vault URL | string |
n/a | yes |
bastion_nsg_source_prefix | user input for locking down SSH access to bastion to a specific IP or CIDR range | string |
"*" |
no |
cc_count | The number of Cloud Connectors to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate | number |
2 |
no |
cc_subnets | Cloud Connector Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. | list(string) |
null |
no |
cc_vm_managed_identity_name | Azure Managed Identity name to attach to the CC VM. E.g zspreview-66117-mi | string |
n/a | yes |
cc_vm_managed_identity_rg | Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. edgeconnector_rg_1 | string |
n/a | yes |
cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
ccvm_image_offer | Azure Marketplace Cloud Connector Image Offer | string |
"zia_cloud_connector" |
no |
ccvm_image_publisher | Azure Marketplace Cloud Connector Image Publisher | string |
"zscaler1579058425289" |
no |
ccvm_image_sku | Azure Marketplace Cloud Connector Image SKU | string |
"zs_ser_gen1_cc_01" |
no |
ccvm_image_version | Azure Marketplace Cloud Connector Image Version | string |
"latest" |
no |
ccvm_instance_type | Cloud Connector Image size | string |
"Standard_D2s_v3" |
no |
ccvm_source_image_id | Custom Cloud Connector Source Image ID. Set this value to the path of a local subscription Microsoft.Compute image to override the Cloud Connector deployment instead of using the marketplace publisher | string |
null |
no |
domain_names | Domain names fqdn/wildcard to have Azure Private DNS redirect DNS requests to Cloud Connector | map(any) |
n/a | yes |
encryption_at_host_enabled | User input for enabling or disabling host encryption | bool |
true |
no |
env_subscription_id | Azure Subscription ID where resources are to be deployed in | string |
n/a | yes |
environment | Customer defined environment tag. ie: Dev, QA, Prod, etc. | string |
"Development" |
no |
health_check_interval | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | number |
15 |
no |
http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | number |
50000 |
no |
lb_enabled | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb_frontend_ip. If false, default route next hop directly to the CC Service IP passed from var.cc_service_ip | bool |
true |
no |
load_distribution | Azure LB load distribution method | string |
"Default" |
no |
managed_identity_subscription_id | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env_subscription_id | string |
null |
no |
name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
network_address_space | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables | string |
"10.1.0.0/16" |
no |
number_of_probes | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | number |
1 |
no |
owner_tag | Customer defined owner tag value. ie: Org, Dept, username, etc. | string |
"zscc-admin" |
no |
private_dns_subnet | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network_address_space variable. | string |
null |
no |
probe_threshold | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | number |
2 |
no |
public_subnets | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. | list(string) |
null |
no |
reuse_nsg | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | bool |
"false" |
no |
support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
target_address | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | list(string) |
[ |
no |
tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
workload_count | The number of Workload VMs to deploy | number |
1 |
no |
workloads_subnets | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. | list(string) |
null |
no |
zones | Specify which availability zone(s) to deploy VM resources in if zones_enabled variable is set to true | list(string) |
[ |
no |
zones_enabled | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | bool |
false |
no |
zpa_enabled | Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection | bool |
true |
no |
zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101" |
no |
Name | Description |
---|---|
testbedconfig | Azure Testbed results |