diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea615bf..f70c6cc 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,5 @@
## TBD (UNRELEASED)
+
FEATURES:
* Azure China support (China East, China East 2, China North, China North 2, and China North 3)
@@ -7,6 +8,8 @@ BUG FIXES:
*
ENHANCEMENTS:
* ZSEC bash script support for Azure China regions
+* * add: variable support_access_enabled for dynamic NSG rule creation for Zscaler Support Tunnel access
+* add: zsec prompt for support tunnel rule creation
## v0.3.0 (September 30, 2023)
diff --git a/examples/base_1cc/README.md b/examples/base_1cc/README.md
index 1c2ebd9..635d2ea 100644
--- a/examples/base_1cc/README.md
+++ b/examples/base_1cc/README.md
@@ -109,6 +109,7 @@ From base_1cc directory execute:
| [owner\_tag](#input\_owner\_tag) | Customer defined owner tag value. ie: Org, Dept, username, etc. | `string` | `"zscc-admin"` | no |
| [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
| [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
| [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |
| [workloads\_subnets](#input\_workloads\_subnets) | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
diff --git a/examples/base_1cc/main.tf b/examples/base_1cc/main.tf
index f388370..2fdaf14 100755
--- a/examples/base_1cc/main.tf
+++ b/examples/base_1cc/main.tf
@@ -162,13 +162,14 @@ module "cc_vm" {
# created and assigned to ALL Cloud Connectors
################################################################################
module "cc_nsg" {
- source = "../../modules/terraform-zscc-nsg-azure"
- nsg_count = var.reuse_nsg == false ? var.cc_count : 1
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- resource_group = module.network.resource_group_name
- location = var.arm_location
- global_tags = local.global_tags
+ source = "../../modules/terraform-zscc-nsg-azure"
+ nsg_count = var.reuse_nsg == false ? var.cc_count : 1
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ resource_group = module.network.resource_group_name
+ location = var.arm_location
+ global_tags = local.global_tags
+ support_access_enabled = var.support_access_enabled
}
diff --git a/examples/base_1cc/terraform.tfvars b/examples/base_1cc/terraform.tfvars
index d6661ab..5194d39 100755
--- a/examples/base_1cc/terraform.tfvars
+++ b/examples/base_1cc/terraform.tfvars
@@ -169,7 +169,16 @@
#encryption_at_host_enabled = false
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling
+## Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+## efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule.
+##
+## For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and
+## https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
## Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the
## Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
## *** This is recommended only for testing purposes and not supported for production deployments ***
diff --git a/examples/base_1cc/variables.tf b/examples/base_1cc/variables.tf
index 168fde3..98bab34 100755
--- a/examples/base_1cc/variables.tf
+++ b/examples/base_1cc/variables.tf
@@ -242,3 +242,9 @@ variable "encryption_at_host_enabled" {
description = "User input for enabling or disabling host encryption"
default = true
}
+
+variable "support_access_enabled" {
+ type = bool
+ description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+ default = true
+}
diff --git a/examples/base_1cc_zpa/README.md b/examples/base_1cc_zpa/README.md
index c6a5685..94dd5c2 100644
--- a/examples/base_1cc_zpa/README.md
+++ b/examples/base_1cc_zpa/README.md
@@ -114,6 +114,7 @@ From base_1cc_zpa directory execute:
| [private\_dns\_subnet](#input\_private\_dns\_subnet) | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network\_address\_space variable. | `string` | `null` | no |
| [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
| [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
| [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` | [
"185.46.212.88",
"185.46.212.89"
]
| no |
| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
| [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |
diff --git a/examples/base_1cc_zpa/main.tf b/examples/base_1cc_zpa/main.tf
index 02508f8..5bf4117 100755
--- a/examples/base_1cc_zpa/main.tf
+++ b/examples/base_1cc_zpa/main.tf
@@ -164,13 +164,14 @@ module "cc_vm" {
# created and assigned to ALL Cloud Connectors
################################################################################
module "cc_nsg" {
- source = "../../modules/terraform-zscc-nsg-azure"
- nsg_count = var.reuse_nsg == false ? var.cc_count : 1
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- resource_group = module.network.resource_group_name
- location = var.arm_location
- global_tags = local.global_tags
+ source = "../../modules/terraform-zscc-nsg-azure"
+ nsg_count = var.reuse_nsg == false ? var.cc_count : 1
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ resource_group = module.network.resource_group_name
+ location = var.arm_location
+ global_tags = local.global_tags
+ support_access_enabled = var.support_access_enabled
}
diff --git a/examples/base_1cc_zpa/terraform.tfvars b/examples/base_1cc_zpa/terraform.tfvars
index 66f11f2..8db1740 100755
--- a/examples/base_1cc_zpa/terraform.tfvars
+++ b/examples/base_1cc_zpa/terraform.tfvars
@@ -170,7 +170,16 @@
#encryption_at_host_enabled = false
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling
+## Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+## efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule.
+##
+## For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and
+## https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
## Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the
## Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
## *** This is recommended only for testing purposes and not supported for production deployments ***
@@ -182,7 +191,7 @@
#####################################################################################################################
##### ZPA/Azure Private DNS specific variables #####
#####################################################################################################################
-## 22. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception.
+## 23. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception.
## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules,
## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax.
## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per
@@ -193,7 +202,7 @@
# appseg2 = "app2.com."
#}
-## 23. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
+## 24. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for
## ZPA DNS interception
diff --git a/examples/base_1cc_zpa/variables.tf b/examples/base_1cc_zpa/variables.tf
index 495595d..3e0a535 100755
--- a/examples/base_1cc_zpa/variables.tf
+++ b/examples/base_1cc_zpa/variables.tf
@@ -266,3 +266,9 @@ variable "target_address" {
description = "Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses"
default = ["185.46.212.88", "185.46.212.89"]
}
+
+variable "support_access_enabled" {
+ type = bool
+ description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+ default = true
+}
diff --git a/examples/base_cc_lb/README.md b/examples/base_cc_lb/README.md
index a41db1e..73f5d34 100644
--- a/examples/base_cc_lb/README.md
+++ b/examples/base_cc_lb/README.md
@@ -115,6 +115,7 @@ From base_cc_lb directory execute:
| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no |
| [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
| [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
| [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |
| [workloads\_subnets](#input\_workloads\_subnets) | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
diff --git a/examples/base_cc_lb/main.tf b/examples/base_cc_lb/main.tf
index f55fc89..ceb37fc 100755
--- a/examples/base_cc_lb/main.tf
+++ b/examples/base_cc_lb/main.tf
@@ -165,13 +165,14 @@ module "cc_vm" {
# created and assigned to ALL Cloud Connectors
################################################################################
module "cc_nsg" {
- source = "../../modules/terraform-zscc-nsg-azure"
- nsg_count = var.reuse_nsg == false ? var.cc_count : 1
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- resource_group = module.network.resource_group_name
- location = var.arm_location
- global_tags = local.global_tags
+ source = "../../modules/terraform-zscc-nsg-azure"
+ nsg_count = var.reuse_nsg == false ? var.cc_count : 1
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ resource_group = module.network.resource_group_name
+ location = var.arm_location
+ global_tags = local.global_tags
+ support_access_enabled = var.support_access_enabled
}
diff --git a/examples/base_cc_lb/terraform.tfvars b/examples/base_cc_lb/terraform.tfvars
index 1c0dd9a..ba06391 100755
--- a/examples/base_cc_lb/terraform.tfvars
+++ b/examples/base_cc_lb/terraform.tfvars
@@ -169,7 +169,16 @@
#encryption_at_host_enabled = false
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling
+## Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+## efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule.
+##
+## For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and
+## https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
## Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the
## Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
## *** This is recommended only for testing purposes and not supported for production deployments ***
diff --git a/examples/base_cc_lb/variables.tf b/examples/base_cc_lb/variables.tf
index 8b28a0d..f6858ad 100755
--- a/examples/base_cc_lb/variables.tf
+++ b/examples/base_cc_lb/variables.tf
@@ -280,3 +280,9 @@ variable "encryption_at_host_enabled" {
description = "User input for enabling or disabling host encryption"
default = true
}
+
+variable "support_access_enabled" {
+ type = bool
+ description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+ default = true
+}
diff --git a/examples/base_cc_lb_zpa/README.md b/examples/base_cc_lb_zpa/README.md
index 8d93156..9a7942b 100644
--- a/examples/base_cc_lb_zpa/README.md
+++ b/examples/base_cc_lb_zpa/README.md
@@ -120,6 +120,7 @@ From base_cc_lb_zpa directory execute:
| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no |
| [public\_subnets](#input\_public\_subnets) | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network\_address\_space variable. | `list(string)` | `null` | no |
| [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
| [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` | [
"185.46.212.88",
"185.46.212.89"
]
| no |
| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
| [workload\_count](#input\_workload\_count) | The number of Workload VMs to deploy | `number` | `1` | no |
diff --git a/examples/base_cc_lb_zpa/main.tf b/examples/base_cc_lb_zpa/main.tf
index b16f2fa..01be2c2 100755
--- a/examples/base_cc_lb_zpa/main.tf
+++ b/examples/base_cc_lb_zpa/main.tf
@@ -167,13 +167,14 @@ module "cc_vm" {
# created and assigned to ALL Cloud Connectors
################################################################################
module "cc_nsg" {
- source = "../../modules/terraform-zscc-nsg-azure"
- nsg_count = var.reuse_nsg == false ? var.cc_count : 1
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- resource_group = module.network.resource_group_name
- location = var.arm_location
- global_tags = local.global_tags
+ source = "../../modules/terraform-zscc-nsg-azure"
+ nsg_count = var.reuse_nsg == false ? var.cc_count : 1
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ resource_group = module.network.resource_group_name
+ location = var.arm_location
+ global_tags = local.global_tags
+ support_access_enabled = var.support_access_enabled
}
diff --git a/examples/base_cc_lb_zpa/terraform.tfvars b/examples/base_cc_lb_zpa/terraform.tfvars
index 2d4bde9..0304431 100755
--- a/examples/base_cc_lb_zpa/terraform.tfvars
+++ b/examples/base_cc_lb_zpa/terraform.tfvars
@@ -170,7 +170,16 @@
#encryption_at_host_enabled = false
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling
+## Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+## efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule.
+##
+## For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and
+## https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
## Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the
## Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
## *** This is recommended only for testing purposes and not supported for production deployments ***
@@ -182,7 +191,7 @@
#####################################################################################################################
##### ZPA/Azure Private DNS specific variables #####
#####################################################################################################################
-## 22. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception.
+## 23. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception.
## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules,
## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax.
## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per
@@ -193,7 +202,7 @@
# appseg2 = "app2.com."
#}
-## 23. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
+## 24. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for
## ZPA DNS interception
diff --git a/examples/base_cc_lb_zpa/variables.tf b/examples/base_cc_lb_zpa/variables.tf
index 2645cd2..17b58a2 100755
--- a/examples/base_cc_lb_zpa/variables.tf
+++ b/examples/base_cc_lb_zpa/variables.tf
@@ -287,6 +287,12 @@ variable "encryption_at_host_enabled" {
default = true
}
+variable "support_access_enabled" {
+ type = bool
+ description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+ default = true
+}
+
# Azure Private DNS specific variables
variable "zpa_enabled" {
diff --git a/examples/cc_lb/README.md b/examples/cc_lb/README.md
index 0d1a413..b81eb60 100644
--- a/examples/cc_lb/README.md
+++ b/examples/cc_lb/README.md
@@ -135,6 +135,7 @@ From cc_lb directory execute:
| [private\_dns\_subnet](#input\_private\_dns\_subnet) | Private DNS Resolver Outbound Endpoint Subnet to create in VNet. This is only required if you want to override the default subnet that this code creates via network\_address\_space variable. | `string` | `null` | no |
| [probe\_threshold](#input\_probe\_threshold) | The number of consecutive successful or failed probes in order to allow or deny traffic from being delivered to this endpoint. After failing the number of consecutive probes equal to this value, the endpoint will be taken out of rotation and require the same number of successful consecutive probes to be placed back in rotation. | `number` | `2` | no |
| [reuse\_nsg](#input\_reuse\_nsg) | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | `bool` | `"false"` | no |
+| [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
| [target\_address](#input\_target\_address) | Azure DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses | `list(string)` | [
"185.46.212.88",
"185.46.212.89"
]
| no |
| [tls\_key\_algorithm](#input\_tls\_key\_algorithm) | algorithm for tls\_private\_key resource | `string` | `"RSA"` | no |
| [zones](#input\_zones) | Specify which availability zone(s) to deploy VM resources in if zones\_enabled variable is set to true | `list(string)` | [
"1"
]
| no |
diff --git a/examples/cc_lb/main.tf b/examples/cc_lb/main.tf
index 5fc9274..4592ee3 100755
--- a/examples/cc_lb/main.tf
+++ b/examples/cc_lb/main.tf
@@ -145,13 +145,14 @@ module "cc_vm" {
# created and assigned to ALL Cloud Connectors
################################################################################
module "cc_nsg" {
- source = "../../modules/terraform-zscc-nsg-azure"
- nsg_count = var.reuse_nsg == false ? var.cc_count : 1
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- resource_group = var.byo_nsg == false ? module.network.resource_group_name : var.byo_nsg_rg
- location = var.arm_location
- global_tags = local.global_tags
+ source = "../../modules/terraform-zscc-nsg-azure"
+ nsg_count = var.reuse_nsg == false ? var.cc_count : 1
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ resource_group = var.byo_nsg == false ? module.network.resource_group_name : var.byo_nsg_rg
+ location = var.arm_location
+ global_tags = local.global_tags
+ support_access_enabled = var.support_access_enabled
byo_nsg = var.byo_nsg
# optional inputs. only required if byo_nsg set to true
diff --git a/examples/cc_lb/terraform.tfvars b/examples/cc_lb/terraform.tfvars
index bfce38c..25f0414 100755
--- a/examples/cc_lb/terraform.tfvars
+++ b/examples/cc_lb/terraform.tfvars
@@ -168,7 +168,16 @@
#encryption_at_host_enabled = false
-## 21. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
+## 21. By default, if Terraform is creating NSGs an outbound rule named Zscaler_Support_Access is configured enabling
+## Zscaler remote support access. Without this firewall access, Zscaler Support may not be able to assist as
+## efficiently if troubleshooting is required. Uncomment if you do not want to enable this rule.
+##
+## For more information, refer to: https://config.zscaler.com/zscaler.net/cloud-branch-connector and
+## https://help.zscaler.com/cloud-branch-connector/enabling-remote-access
+
+#support_access_enabled = false
+
+## 22. By default, Terraform will lookup the latest Cloud Connector image version from the Azure Marketplace.
## Uncomment and set this value to the path of a local subscription Microsoft.Compute image to override the
## Cloud Connector deployment with a private VHD instead of using the marketplace publisher.
## *** This is recommended only for testing purposes and not supported for production deployments ***
@@ -181,30 +190,30 @@
##### Custom BYO variables. Only applicable for "cc_lb" deployment without "base" resource requirements #####
#####################################################################################################################
-## 22. By default, this script will create a new Resource Group and place all resources in this group.
+## 23. By default, this script will create a new Resource Group and place all resources in this group.
## Uncomment if you want to deploy all resources in an existing Resource Group? (true or false. Default: false)
#byo_rg = true
-## 23. Provide your existing Resource Group name. Only uncomment and modify if you set byo_rg to true
+## 24. Provide your existing Resource Group name. Only uncomment and modify if you set byo_rg to true
#byo_rg_name = "existing-rg"
-## 24. By default, this script will create a new Azure Virtual Network in the default resource group.
+## 25. By default, this script will create a new Azure Virtual Network in the default resource group.
## Uncomment if you want to deploy all resources to a VNet that already exists (true or false. Default: false)
#byo_vnet = true
-## 25. Provide your existing VNet name. Only uncomment and modify if you set byo_vnet to true
+## 26. Provide your existing VNet name. Only uncomment and modify if you set byo_vnet to true
#byo_vnet_name = "existing-vnet"
-## 26. Provide the existing Resource Group name of your VNet. Only uncomment and modify if you set byo_vnet to true
+## 27. Provide the existing Resource Group name of your VNet. Only uncomment and modify if you set byo_vnet to true
## Subnets depend on VNet so the same resource group is implied for subnets
#byo_vnet_subnets_rg_name = "existing-vnet-rg"
-## 27. By default, this script will create 1 new Azure subnet in the default resource group unles the zones variable
+## 28. By default, this script will create 1 new Azure subnet in the default resource group unles the zones variable
## specifies multiple zonal deployments in which case subnet 1 would logically map to resources in zone "1", etc.
## Uncomment if you want to deploy all resources in subnets that already exist (true or false. Default: false)
## Dependencies require in order to reference existing subnets, the corresponding VNet must also already exist.
@@ -212,7 +221,7 @@
#byo_subnets = true
-## 28. Provide your existing Cloud Connector subnet names. Only uncomment and modify if you set byo_subnets to true
+## 29. Provide your existing Cloud Connector subnet names. Only uncomment and modify if you set byo_subnets to true
## By default, management and service interfaces reside in a single subnet. Therefore, specifying multiple subnets
## implies only that you are doing a zonal deployment with resources in separate AZs and corresponding zonal NAT
## Gateway resources associated with the CC subnets mapped to the same respective zones.
@@ -221,12 +230,12 @@
#byo_subnet_names = ["existing-cc-subnet"]
-## 29. By default, this script will create new Public IP resources to be associated with CC NAT Gateways.
+## 30. By default, this script will create new Public IP resources to be associated with CC NAT Gateways.
## Uncomment if you want to use your own public IP for the NAT GW (true or false. Default: false)
#byo_pips = true
-## 30. Provide your existing Azure Public IP resource names. Only uncomment and modify if you set byo_pips to true
+## 31. Provide your existing Azure Public IP resource names. Only uncomment and modify if you set byo_pips to true
## Existing Public IP resource cannot be associated with any resource other than an existing NAT Gateway in which
## case existing_pip_association and existing_nat_gw_association need both set to true
##
@@ -237,16 +246,16 @@
#byo_pip_names = ["pip-az1","pip-az2"]
-## 31. Provide the existing Resource Group name of your Azure public IPs. Only uncomment and modify if you set byo_pips to true
+## 32. Provide the existing Resource Group name of your Azure public IPs. Only uncomment and modify if you set byo_pips to true
#byo_pip_rg = "existing-pip-rg"
-## 32. By default, this script will create new NAT Gateway resources for the Cloud Connector subnets to be associated
+## 33. By default, this script will create new NAT Gateway resources for the Cloud Connector subnets to be associated
## Uncomment if you want to use your own NAT Gateway (true or false. Default: false)
#byo_nat_gws = true
-## 33. Provide your existing Azure NAT Gateway resource names. Only uncomment and modify if you set byo_nat_gws to true
+## 34. Provide your existing Azure NAT Gateway resource names. Only uncomment and modify if you set byo_nat_gws to true
## ***** Note *****
## If you already have existing NAT Gateways AND set zone_enabled to true these resource should be configured as zonal and
## be added here to this variable list in order of the zones specified in the "zones" variable.
@@ -254,30 +263,30 @@
#byo_nat_gw_names = ["natgw-az1","natgw-az2"]
-## 34. Provide the existing Resource Group name of your NAT Gateway. Only uncomment and modify if you set byo_nat_gws to true
+## 35. Provide the existing Resource Group name of your NAT Gateway. Only uncomment and modify if you set byo_nat_gws to true
#byo_nat_gw_rg = "existing-nat-gw-rg"
-## 35. By default, this script will create a new Azure Public IP and associate it with new/existing NAT Gateways.
+## 36. By default, this script will create a new Azure Public IP and associate it with new/existing NAT Gateways.
## Uncomment if you are deploying cloud connector to an environment where the PIP already exists AND is already asssociated to
## an existing NAT Gateway. (true or false. Default: false).
## Setting existing_pip_association to true means byo_nat_gws and byo_pips must ALSO be set to true.
#existing_nat_gw_pip_association = true
-## 36. By default this script will create a new Azure NAT Gateway and associate it with new or existing CC subnets.
+## 37. By default this script will create a new Azure NAT Gateway and associate it with new or existing CC subnets.
## Uncomment if you are deploying cloud connector to an environment where the subnet already exists AND is already asssociated to
## an existing NAT Gateway. (true or false. Default: false).
## Setting existing_nat_gw_association to true means byo_subnets AND byo_nat_gws must also be set to true.
#existing_nat_gw_subnet_association = true
-## 37. By default, this script will create new Network Security Groups for the Cloud Connector mgmt and service interfaces
+## 38. By default, this script will create new Network Security Groups for the Cloud Connector mgmt and service interfaces
## Uncomment if you want to use your own NSGs (true or false. Default: false)
#byo_nsg = true
-## 38. Provide your existing Network Security Group resource names. Only uncomment and modify if you set byo_nsg to true
+## 39. Provide your existing Network Security Group resource names. Only uncomment and modify if you set byo_nsg to true
## ***** Note *****
## Example: byo_mgmt_nsg_names = ["mgmt-nsg-1","mgmt-nsg-2"]
@@ -286,7 +295,7 @@
#byo_mgmt_nsg_names = ["mgmt-nsg-1","mgmt-nsg-2"]
#byo_service_nsg_names = ["service-nsg-1","service-nsg-2"]
-## 39. Provide the existing Resource Group name of your Network Security Groups. Only uncomment and modify if you set byo_nsg to true
+## 40. Provide the existing Resource Group name of your Network Security Groups. Only uncomment and modify if you set byo_nsg to true
#byo_nsg_rg = "existing-nsg-rg"
@@ -294,12 +303,12 @@
#####################################################################################################################
##### ZPA/Azure Private DNS specific variables #####
#####################################################################################################################
-## 40. By default, the terraform-zscc-private-dns-azure (Azure Private DNS for ZPA) module and dependences are not
+## 41. By default, the terraform-zscc-private-dns-azure (Azure Private DNS for ZPA) module and dependences are not
## configured. Uncomment and set to true to enable this module resources creation.
#zpa_enabled = true
-## 41. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception.
+## 42. Provide the domain names you want Azure Private DNS to redirect to Cloud Connector for ZPA interception.
## Only applicable for base + zpa or zpa_enabled = true deployment types where Outbound DNS subnets, Resolver Ruleset/Rules,
## and Outbound Endpoints are being created. Two example domains are populated to show the mapping structure and syntax.
## Azure does require a trailing dot "." on all domain entries. ZPA Module will read through each to create a resolver rule per
@@ -310,7 +319,7 @@
# appseg2 = "app2.com."
#}
-## 42. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
+## 43. Azure Private DNS queries will be conditionally forwarded to these target IP addresses. Default are a pair of Zscaler Global VIP addresses.
## The required expectation is that the target should follow VNet/subnet routing towards the configured Cloud Connector Load Balancer VIP for
## ZPA DNS interception
diff --git a/examples/cc_lb/variables.tf b/examples/cc_lb/variables.tf
index fc37416..c4ee1d2 100755
--- a/examples/cc_lb/variables.tf
+++ b/examples/cc_lb/variables.tf
@@ -253,6 +253,12 @@ variable "encryption_at_host_enabled" {
default = false
}
+variable "support_access_enabled" {
+ type = bool
+ description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+ default = true
+}
+
# Azure Private DNS specific variables
variable "zpa_enabled" {
diff --git a/examples/zsec b/examples/zsec
index 003fc0c..f8c0a1f 100755
--- a/examples/zsec
+++ b/examples/zsec
@@ -587,6 +587,26 @@ domain_names_map+="}'"
echo "export TF_VAR_domain_names=$domain_names_map" >> .zsecrc
fi
+support_access_response_default="no"
+while true; do
+ read -r -p "By default, an outbound NSG rule is configured enabling Zscaler remote support access. Would you like to disable this rule creation? [Default=$support_access_response_default]: " support_access_response_input
+ support_access_response=${support_access_response_input:-$support_access_response_default}
+ case $support_access_response in
+ yes|y )
+ echo "Outbound rule Zscaler_Support_Access will not be created"
+ echo "*** Caution: Zscaler Support may not be able to assist as efficiently if troubleshooting is required without this access"
+ echo "export TF_VAR_support_access_enabled=false" >> .zsecrc
+ break
+ ;;
+ no|n )
+ echo "Outbound rule Zscaler_Support_Access will be created"
+ echo "export TF_VAR_support_access_enabled=true" >> .zsecrc
+ break
+ ;;
+ * ) echo "invalid response. Please enter yes or no";;
+ esac
+done
+
fi
diff --git a/modules/terraform-zscc-nsg-azure/README.md b/modules/terraform-zscc-nsg-azure/README.md
index 46f8148..db1a3e5 100644
--- a/modules/terraform-zscc-nsg-azure/README.md
+++ b/modules/terraform-zscc-nsg-azure/README.md
@@ -42,6 +42,7 @@ No modules.
| [nsg\_count](#input\_nsg\_count) | Default number of network security groups to create | `number` | `1` | no |
| [resource\_group](#input\_resource\_group) | Main Resource Group Name | `string` | n/a | yes |
| [resource\_tag](#input\_resource\_tag) | A tag to associate to all the NSG module resources | `string` | `null` | no |
+| [support\_access\_enabled](#input\_support\_access\_enabled) | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | `bool` | `true` | no |
## Outputs
diff --git a/modules/terraform-zscc-nsg-azure/main.tf b/modules/terraform-zscc-nsg-azure/main.tf
index 0a2a293..d0e9510 100755
--- a/modules/terraform-zscc-nsg-azure/main.tf
+++ b/modules/terraform-zscc-nsg-azure/main.tf
@@ -31,6 +31,23 @@ resource "azurerm_network_security_group" "cc_mgmt_nsg" {
destination_address_prefix = "*"
}
+ dynamic "security_rule" {
+ for_each = var.support_access_enabled ? ["1"] : []
+
+ content {
+ name = "Zscaler_Support_Access"
+ description = "Required for Cloud Connector to establish connectivity for Zscaler Support to remotely assist"
+ priority = 3000
+ direction = "Outbound"
+ access = "Allow"
+ protocol = "Tcp"
+ source_port_range = "*"
+ destination_port_range = "12002"
+ source_address_prefix = "*"
+ destination_address_prefix = "199.168.148.101"
+ }
+ }
+
security_rule {
name = "OUTBOUND"
priority = 4000
diff --git a/modules/terraform-zscc-nsg-azure/variables.tf b/modules/terraform-zscc-nsg-azure/variables.tf
index 67de470..b9a1537 100755
--- a/modules/terraform-zscc-nsg-azure/variables.tf
+++ b/modules/terraform-zscc-nsg-azure/variables.tf
@@ -49,3 +49,9 @@ variable "byo_service_nsg_names" {
description = "Service Network Security Group ID for Cloud Connector association"
default = null
}
+
+variable "support_access_enabled" {
+ type = bool
+ description = "If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true"
+ default = true
+}