[VIDEO] AWS CloudFormation Deployment

Cloud Connector is a virtual appliance within AWS used to forward cloud workload traffic to the Zero Trust Exchange. It can be deployed within an AWS environment using both Terraform and, as a more native scripting option, CloudFormation. Zscaler CloudFormation scripts assume a customer already has an existing cloud deployment that they wish to integrate Zero Trust Network Access principles within. As such, VPCs, NAT Gateways, Internet Gateways, Subnets, and Route Tables should already be configured prior to running these scripts.

  • The Pre-deployment Template ensures certain prerequisites are met prior to running any additional CloudFormation scripts. This script should be run first before running the Starter Deployment Template.
  • The Starter Deployment Template will install a single Cloud Connector appliance within the Subnet chosen and is a requirement for all other scripts. In fact, we recommend that you run this script multiple times to install multiple Cloud Connector VMs within various Availability Zones to satisfy High Availability requirements.
  • The Add-on Template for ZPA will add AWS Route 53 functionality. You can learn more about how ZPA interacts with Cloud Connector via the other videos on this Communities page. In a nutshell, Route 53 allows an administrator to influence cloud workload DNS requests to cross over the Cloud Connector appliance - allowing the appliance to then proxy that traffic by responding to the DNS Request with a synthetic IP address.
  • The Add-on Template for ZPA and High-Availability will add support for both ZPA and AWS Lambda functionality. Please note that AWS Lambda functionality exists to provide backward compatibility for customers who have not yet migrated to Gateway Load Balancer. Zscaler recommends running the Add-on Template with Gateway Load Balancer script instead if a customer is seeking High Availability.
  • The Add-on Template with Gateway Load Balancer (GWLB), as the name would imply, installs a Gateway Load Balancer as well as all the necessary GWLB endpoints and Target Group necessary for High Availability.

In this video, we’ll explore:

[0:00 to 0:44] Pre-requisites and overview of CloudFormation
[0:44 to 1:48] How are CloudFormation scripts obtained, and what does each do?
[1:48 to 2:50] Using the Starter Deployment Template to install a pair of Cloud Connectors
[2:50 to 3:38] Installing Gateway Load Balancer
[3:38 to 4:00] Implementing Zscaler Private Access (Route 53)
[4:00 to 4:35] Key takeaways


Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.

In this video, we’ll explore how Zscaler Cloud Connector can be provisioned within AWS using Cloud Formation Templates. Before you get started, make sure to check out the AWS Pre-Requisites video linked in the description as there are some items that need to be set up prior to running these scripts.

Though CloudFormation scripts can be used in greenfield situations, their value shines when a customer is seeking brownfield integration, since many of the aforementioned prerequisites are generally already satisfied if a customer has an existing AWS buildout. CloudFormation scripts are written in YAML and can be downloaded from the Cloud Connector portal:

  • The Starter Deployment Template will instantiate a single Cloud Connector appliance and associate it with the Subnet and Route Table specified in the CloudFormation workflow. This script is a requirement in order to run any of the other CloudFormation scripts.

  • The Add-on Template with ZPA script will instantiate Route 53 resources for outbound DNS resolution and redirection to the ZPA service for use-cases where Zscaler Zscaler Private Access is the requirement. For more information on ZPA, DNS redirection, and its interaction with Cloud Connector, please check out the AWS DNS Setup for ZPA video linked in the description.

  • The Add-on Template with High-Availability script will instantiate AWS Lambda functionality for high availability. This script assumes that a pair of Cloud Connector instances already exist (with associated Subnets, Route Tables, and Availability Zones) and that a High Availability port was selected during their instantiation. It should be noted that, as of this recording, AWS Gateway Load Balancer is now also supported and will become the new recommendation for High Availability instead of Lambda. AWS Gateway Load Balancer CloudFormation scripts will be available for download in the Cloud Connector portal as well and will be used as the basis for this demonstration.

Start by navigating to your AWS console and searching for CloudFormation. Click the Create Stack button and choose 'With new resources. Upload the Starter Deployment Template script. Provide a stack name, then select the resources that fit your deployment. In this case, we’ll choose a pre-configured VPC, Subnet, Availability Zone, and Keypair. For testing purposes, Zscaler recommends the T3.medium Instance Type. For production deployments, choose C5.large or M5.large. Provide the name of your Secrets Manager object as well as an HTTP port. Though the HTTP port is optional, Zscaler highly recommends a port be entered here so that high availability can be configured. This port identifies a heartbeat service that the appliance uses to report its current health to the AWS Gateway Load Balancer or Lambda function.

Click the Next button, followed by Next again… acknowledge the changes and click the Create Stack button. The script begins to execute and deploy the Cloud Connector resources.

It is highly recommended that you run this script a second time against an adjacent Availability Zone to provide fault tolerance for your implementation.

Once the appliances have been deployed and have registered with the Cloud Connector portal, you can proceed with installing the Gateway Load Balancer service. In the same way that the Cloud Connector appliances were installed, upload the GWLB macro script first. This script pre-configures the environment for GWLB. Once this script is executed, create a new CloudFormation stack with the GWLB script. Select the instances you created previously and identify the HTTP port they were instantiated with.

Choose whether to enable cross-zone load-balancing. GWLB will, by default, attempt to maintain Availability Zone affinity. In the event of an appliance failure, cross-zone load-balancing can be turned on using this dropdown - allowing GWLB to ignore Availability Zone affinity and forward traffic to any available appliance. Be aware that this may incur additional costs from AWS.

Lastly, if ZPA integration is desired, create a CloudFormation stack to enable Route53 functionality. Here, input your Cloud Connector and ZPA cloud name. Application Segment FQDNs defined in ZPA can then be configured in the Domain Name fields. This script will instruct Route 53 to redirect DNS traffic for these domains through the Cloud Connector appliance - allowing the appliance to proxy application traffic via synthetic IP Addresses.

Though useful in Greenfield situations, CloudFormation scripts shine when implemented in a Brownfield environment with existing infrastructure.

  • You can download CloudFormation scripts from the Cloud Connector portal via the Administration > Deployment Templates menu.

  • Make sure you have met the pre-requisites prior to running a CloudFormation script, then upload and execute them from your AWS console.