This deployment type is intended for brownfield/production purposes. By default, it will create a new Resource Group; 1 VNet; at least 1 Cloud Connector private subnet; at least 1 NAT Gateway with Public IP Address association to the Cloud Connector subnets; generates local key pair .pem file for ssh access; 1 Standard Azure Load Balancer with all rules, probes, and NIC associations.
The number of Cloud Connectors can be customized via a "cc_count" variable. The number of Cloud Connector subnets, NAT Gateways, and Public IPs can vary based on if zones support is enabled and the amount of zone redundancy chosen.
There are conditional create options for almost all dependent resources should they already exist (VNet, subnets, NAT Gateways, Public IPs, NSGs, etc.)
- WSL2 DNS bug: If you are trying to run these Azure terraform deployments specifically from a Windows WSL2 instance like Ubuntu and receive an error containing a message similar to this "dial tcp: lookup management.azure.com on 172.21.240.1:53: cannot unmarshal DNS message" please refer here for a WSL2 resolv.conf fix. microsoft/WSL#5420 (comment).
Optional - First edit examples/cc_lb/terraform.tfvars with any "byo" variable values that already exist in your environment and save the file. From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "brownfield"
- enter "cc_lb"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in examples/cc_lb/terraform.tfvars file and save.
From cc_lb directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From cc_lb directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| azurerm | >= 3.108.0, <= 3.116 |
| local | ~> 2.5.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| local | ~> 2.5.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| cc_identity | ../../modules/terraform-zscc-identity-azure | n/a |
| cc_lb | ../../modules/terraform-zscc-lb-azure | n/a |
| cc_nsg | ../../modules/terraform-zscc-nsg-azure | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-azure | n/a |
| network | ../../modules/terraform-zscc-network-azure | n/a |
| private_dns | ../../modules/terraform-zscc-private-dns-azure | n/a |
| Name | Type |
|---|---|
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accelerated_networking_enabled | Enable/Disable accelerated networking support on all Cloud Connector service interfaces | bool |
true |
no |
| arm_location | The Azure Region where resources are to be deployed | string |
"westus2" |
no |
| azure_vault_url | Azure Vault URL | string |
n/a | yes |
| byo_mgmt_nsg_names | Existing Management Network Security Group IDs for Cloud Connector VM association. This must be populated if byo_nsg variable is true | list(string) |
null |
no |
| byo_nat_gw_names | User provided existing NAT Gateway resource names. This must be populated if byo_nat_gws variable is true | list(string) |
null |
no |
| byo_nat_gw_rg | User provided existing NAT Gateway Resource Group. This must be populated if byo_nat_gws variable is true | string |
"" |
no |
| byo_nat_gws | Bring your own Azure NAT Gateways | bool |
false |
no |
| byo_nsg | Bring your own Network Security Groups for Cloud Connector | bool |
false |
no |
| byo_nsg_rg | User provided existing NSG Resource Group. This must be populated if byo_nsg variable is true | string |
"" |
no |
| byo_pip_names | User provided Azure Public IP address resource names to be associated to NAT Gateway(s) | list(string) |
null |
no |
| byo_pip_rg | User provided Azure Public IP address resource group name. This must be populated if byo_pip_names variable is true | string |
"" |
no |
| byo_pips | Bring your own Azure Public IP addresses for the NAT Gateway(s) association | bool |
false |
no |
| byo_rg | Bring your own Azure Resource Group. If false, a new resource group will be created automatically | bool |
false |
no |
| byo_rg_name | User provided existing Azure Resource Group name. This must be populated if byo_rg variable is true | string |
"" |
no |
| byo_service_nsg_names | Existing Service Network Security Group ID for Cloud Connector VM association. This must be populated if byo_nsg variable is true | list(string) |
null |
no |
| byo_subnet_names | User provided existing Azure subnet name(s). This must be populated if byo_subnets variable is true | list(string) |
null |
no |
| byo_subnets | Bring your own Azure subnets for Cloud Connector. If false, new subnet(s) will be created automatically. Default 1 subnet for Cloud Connector if 1 or no zones specified. Otherwise, number of subnes created will equal number of Cloud Connector zones | bool |
false |
no |
| byo_vnet | Bring your own Azure VNet for Cloud Connector. If false, a new VNet will be created automatically | bool |
false |
no |
| byo_vnet_name | User provided existing Azure VNet name. This must be populated if byo_vnet variable is true | string |
"" |
no |
| byo_vnet_subnets_rg_name | User provided existing Azure VNET Resource Group. This must be populated if either byo_vnet or byo_subnets variables are true | string |
"" |
no |
| cc_count | The number of Cloud Connectors to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate | number |
2 |
no |
| cc_subnets | Cloud Connector Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates | list(string) |
null |
no |
| cc_vm_managed_identity_name | Azure Managed Identity name to attach to the CC VM. E.g zspreview-66117-mi | string |
n/a | yes |
| cc_vm_managed_identity_rg | Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. edgeconnector_rg_1 | string |
n/a | yes |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_image_offer | Azure Marketplace Cloud Connector Image Offer | string |
"zia_cloud_connector" |
no |
| ccvm_image_publisher | Azure Marketplace Cloud Connector Image Publisher | string |
"zscaler1579058425289" |
no |
| ccvm_image_sku | Azure Marketplace Cloud Connector Image SKU | string |
"zs_ser_gen1_cc_01" |
no |
| ccvm_image_version | Azure Marketplace Cloud Connector Image Version | string |
"latest" |
no |
| ccvm_instance_type | Cloud Connector Image size | string |
"Standard_D2s_v3" |
no |
| ccvm_source_image_id | Custom Cloud Connector Source Image ID. Set this value to the path of a local subscription Microsoft.Compute image to override the Cloud Connector deployment instead of using the marketplace publisher | string |
null |
no |
| domain_names | Domain names fqdn/wildcard to have Azure Private DNS redirect DNS requests to Cloud Connector | map(any) |
{} |
no |
| encryption_at_host_enabled | User input for enabling or disabling host encryption | bool |
false |
no |
| env_subscription_id | Azure Subscription ID where resources are to be deployed in | string |
n/a | yes |
| environment | Customer defined environment tag. ie: Dev, QA, Prod, etc. | string |
"Development" |
no |
| existing_nat_gw_pip_association | Set this to true only if both byo_pips and byo_nat_gws variables are true. This implies that there are already NAT Gateway resources with Public IP Addresses associated so we do not attempt any new associations | bool |
false |
no |
| existing_nat_gw_subnet_association | Set this to true only if both byo_nat_gws and byo_subnets variables are true. this implies that there are already NAT Gateway resources associated to subnets where Cloud Connectors are being deployed to | bool |
false |
no |
| health_check_interval | The interval, in seconds, for how frequently to probe the endpoint for health status. Typically, the interval is slightly less than half the allocated timeout period (in seconds) which allows two full probes before taking the instance out of rotation. The default value is 15, the minimum value is 5 | number |
15 |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | number |
50000 |
no |
| load_distribution | Azure LB load distribution method | string |
"Default" |
no |
| managed_identity_subscription_id | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env_subscription_id | string |
null |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| network_address_space | VNET CIDR / address prefix | string |
"10.1.0.0/16" |
no |
| number_of_probes | The number of probes where if no response, will result in stopping further traffic from being delivered to the endpoint. This values allows endpoints to be taken out of rotation faster or slower than the typical times used in Azure | number |
1 |
no |
| owner_tag | Customer defined owner tag value. ie: Org, Dept, username, etc. | string |
"zscc-admin" |
no |
| private_dns_subnet | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network_address_space variable. | string |
null |
no |
| probe_threshold | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | number |
2 |
no |
| reuse_nsg | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | bool |
"false" |
no |
| support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| target_address | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | list(string) |
[ |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| zones | Specify which availability zone(s) to deploy VM resources in if zones_enabled variable is set to true | list(string) |
[ |
no |
| zones_enabled | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | bool |
false |
no |
| zpa_enabled | Configure Azure Private DNS Outbound subnet, Resolvers, Rulesets/Rules, and Outbound Endpoint ZPA DNS redirection | bool |
false |
no |
| zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101" |
no |
| Name | Description |
|---|---|
| testbedconfig | Azure Testbed results |