Deploying ZPA in AWS

zpa
aws
howto

(Lisa Lorenzin) #1

For those of you deploying Zscaler Private Access (ZPA) in AWS, we have a terrific new resource available! This deployment guide describes how a Zscaler customer can deploy ZPA in AWS through Launch Templates and AutoScaling configurations to create a scalable and supportable ZPA infrastructure. It provides a brief overview of how ZPA applies to AWS migration use cases, and will help to provide a structured approach to the overall solution and illustrate how ZPA accelerates application migration.
Zscaler Private Access Deployment - AWS.pdf (2.0 MB)


(Peter Hayes) #2

Hi Lisa, this is fantastic - when is a version of this expected to land in our help/documentation portal, please?


(Lisa Lorenzin) #3

Tech Pubs is working on it - so, soon!

Regards,
Lisa


(Ayanna Sawyer) #4

Yes, we’re currently working on getting this information up on the ZPA Help Portal. So stay tuned.


(Alexander Willacker) #5

Hi Lisa,

We have built one VPC per AWS site and put a pair of connectors there. Then we configured VPC Pairing between this one and the other VPCs in this site. This we do also to reduce amount of connectors per site.

But you are writing:
“For each VPC there should be a pair of Connectors”

So do you see an issue with VPC Pairing and our design?

Thanks
Alex


(Zoltan Kovacs) #6

That is a great question! Our general guidance is indeed at least a pair of connectors in a group per VPC (if you are treating the VPC as an extension of your datacenter with most of your resources in just a few VPCs, in my opinion).

However, many customers do transit VPCs or peering between VPCs like yourself-- as long as the Connectors you have deployed are able to route to the apps in the other VPCs, can resolve DNS for the apps in those other VPCs, and the latency between VPCs is minimal then you are fine.

I would still recommend having connector groups per AWS region at a minimum, so if you have multiple VPCS let’s say spread between AWS East and AWS West Regions, I’d have a Connector Group for AWS East, and another set for AWS West (assuming all VPCs in Region have peering/connectivity to each other).

Also I have worked with customers who have deployed hundreds of VPCs, most of which do not have peering, site to site VPN, or DirectConnect – basically treating each VPC as its own island. In that case, since there is no routing/connectivity between the various VPCs, ZPA Connectors would need to be deployed in each VPC requiring app access.

Hope this helps!


(Ayanna Sawyer) #7

An updated version of the “Connector Deployment Guide for Amazon Web Services (AWS)” is now available within the ZPA Help Portal: https://help.zscaler.com/zpa/connector-deployment-amazon-web-services-aws

The direct link to the complete procedure for Launch Templates and Auto Scaling Groups is here: https://help.zscaler.com/zpa/connector-deployment-amazon-web-services-aws#Deployment2


(Scott Bullock) #8

Much awesome @asawyer !


(Alexander Willacker) #9

great that helps - thanks for your fast answer!