[VIDEO] AWS Terraform Deployment

Cloud Connector is a virtual appliance within AWS used to forward cloud workload traffic to the Zero Trust Exchange. It can be deployed within an AWS environment using both Terraform and, as a more native scripting option, CloudFormation. Zscaler Terraform scripts represent the “easy” button when deploying Cloud Connector appliances. Their value shines in the fact that they automate nearly every aspect of appliance deployment, from VPC creation to Subnet, Route Table, NAT Gateway, and IGW creation. Where required, Terraform scripts can even deploy test and management workstations. Be aware, however, that this often means that a customer wishing to integrate into a brownfield environment may have to adjust these scripts to fit their scenario.

Terraform scripts are wrapped up within an easy-to-use Bash script as well, for those customers who are unfamiliar with Hashicorp Configuration Language. This Bash script (labeled zsec in the archive downloaded from the Cloud Connector UI) provides an interactive prompting mechanism that administrators can use to instantiate their deployments. Simply run ./zsec up from your Bash interpreter and answer the on-screen prompts. The script will handle the rest! For those more familiar with Terraform, the archive contains all the .tf files necessary to customize the deployment to suit the environment.

  • The Starter Deployment Template will instantiate a single or multiple Cloud Connector appliances, private, workload, and public Subnets, their respective Route Tables and routes, a NAT Gateway and an IGW.
  • The Starter Deployment Template with ZPA adds the ability to instantiate Route 53 resources for outbound DNS resolution and redirection to the ZPA service for use-cases where Zscaler Zscaler Private Access is the requirement.
  • The Starter Deployment Template with a High-Availability script will instantiate AWS Lambda for high availability. Please note that AWS Lambda functionality exists to provide backward compatibility for customers who have not yet migrated to Gateway Load Balancer. Zscaler recommends running the Starter Deployment Template with Gateway Load Balancer script instead if a customer is seeking High Availability.
  • The Starter Deployment Template with ZPA and High-Availability will naturally aggregate all of the aforementioned functionality into a single deployment script.
  • The Starter Deployment Template with Gateway Load Balancer (GWLB), as the name would imply, installs a Gateway Load Balancer as well as all the necessary GWLB endpoints and Target Group necessary for High Availability.

In this video, we’ll explore:

[0:00 to 1:08] Pre-requisites and overview of Terraform
[1:08 to 1:57] How are Terraform scripts obtained, and what does each do?
[1:57 to 3:40] Understanding Terraform deployment types
[3:40 to 4:07] Understanding Cross-Zone Load Balancing
[4:07 to 4:32] Executing Terraform via the zsec wrapper
[4:32 to 5:03] Key takeaways

Transcript

Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.

In this video, we’ll explore how Zscaler Cloud Connector can be provisioned within AWS using Terraform scripts. Before you get started, make sure to check out the AWS Pre-Requisites video and Terraform Overview video linked in the description as there are some items that need to be understood and set up prior to running these scripts.

Zscaler Cloud Connector Terraform scripts are the easy button for integrating Zscaler Workload Protection into a cloud environment. Their value shines in the fact that they automate nearly every aspect of appliance deployment, from VPC creation to Subnet, Route Table, NAT Gateway, and IGW creation. Where required, Terraform scripts can even deploy test and management workstations. Be aware, however, that this often means that a customer wishing to integrate into a brownfield environment may have to adjust these scripts to fit their scenario.

Though Terraform scripts are natively written in Hashicorp Configuration Language, or HCL, Zscaler encapsulates these scripts within a Bash script to make it easier to deploy. Keep this in mind if you choose to deploy with this option as you will need a Bash interpreter - such as AWS CloudShell, a Linux machine, or a Windows machine running Subsystem for Linux. Navigate to the Administration menu, followed by Deployment Templates.

  • The Starter Deployment Template will instantiate a single Cloud Connector appliance, a private, workload, and public Subnet, their respective Route Tables and routes, a NAT Gateway and an IGW.

  • The Starter Deployment Template with ZPA adds the ability to instantiate Route 53 resources for outbound DNS resolution and redirection to the ZPA service for use-cases where Zscaler Zscaler Private Access is the requirement. For more information on ZPA, DNS redirection and its interaction with Cloud Connector, please check out the AWS DNS Setup for ZPA video linked in the description.

  • The Starter Deployment Template with a High-Availability script will instantiate AWS Lambda or GWLB functionality for high availability.

  • The Starter Deployment Template with ZPA and High-Availability will naturally aggregate all of the aforementioned functionality into a single deployment script.

Download the script applicable to your scenario and unzip it. The directory has several files: a ChangeLog, a ReadMe, a Variables file, the Terraform script directory, and the Bash script wrapper. Open the variables file - terraform.tfvars - with your favorite text editor. For all deployments, variables 1, 2, and 3 must be uncommented and filled in. Here, we will paste in our Provisioning URL, our AWS Secrets Manager name, and the HTTP Probe Port. Though the HTTP port is optional, Zscaler highly recommends a port be entered here so that high availability can be configured. This port identifies a heartbeat service that the appliance uses to report its current health to the AWS Gateway Load Balancer or Lambda function.

Notice that the file contains additional variables when scrolling down. This allows the user to customize the deployment for Brownfield environments. Though it won’t be the focus of this demonstration, these variables can also be uncommented and adjusted to suit your environment.

Run the zsec Bash script in your terminal by executing the command ./zsec up. Notice how the Bash script then prompts for the type of deployment you wish to execute. The base will install a VPC, workload Subnet, Route Table, IGW, and a test workload. Base 1cc will install a single Cloud Connector into the mix by adding a NAT Gateway, additional private Subnets, and Route Tables. Base 1cc ZPA will add Route 53 support for DNS forwarding of ZPA Application Segments. Similarly, Base 2cc and Base 2cc ZPA will add a second Cloud Connector appliance in a second availability zone, along with AWS Lambda. Base CC GWLB and Base CC GWLB ZPA will likewise provide High Availability and ZPA functionality, but will replace AWS Lambda with AWS Gateway Load Balancer. The remaining ‘custom’ options should be chosen if you modified any variables in the terraform.tfvars file outside of the first three, as discussed previously.

Should you choose GWLB as your High Availability option, note that cross-zone load-balancing will be disabled by default… GWLB attempts to maintain Availability Zone affinity. In the event of an appliance failure, this functionality can be turned on if you wish - allowing GWLB to ignore Availability Zone affinity and forward traffic to any available appliance. This may incur additional costs from AWS, however, so if necessary, you can disable this function by uncommenting the cross_zone_lb_enabled variable and updating it to false.

The Bash script then automatically installs Terraform, fetches the necessary providers, and executes the deployment. If this is the first time you’ve run Terraform, you may be prompted for your AWS Access Key, Secret Key, and Region. Once complete, notice that the script provides login information for your newly instantiated hosts. You can also log in to your AWS console to review Terraform’s changes.

  • Terraform is a highly customizable and easy option for deploying Cloud Connector. By default, it is well suited for Greenfield installation, but can be tailored for Brownfield with minimal effort.

  • You can download the latest Terraform scripts from the Cloud Connector portal via the Administration > Deployment Templates menu.

  • Make sure you have met the pre-requisites prior to running Terraform, then execute the zsec Bash script.

3 Likes