[VIDEO] Azure Terraform Deployment

Cloud Connector is a virtual appliance within Microsoft Azure used to forward cloud workload traffic to the Zero Trust Exchange. It can be deployed within an Azure environment using both Terraform and, as a more native option, Azure Marketplace. Zscaler Terraform scripts represent the “easy” button when deploying Cloud Connector appliances. Their value shines in the fact that they automate nearly every aspect of appliance deployment, from VNet creation to Subnet, Route Table, and NAT Gateway. Where required, Terraform scripts can even deploy test and management workstations. Be aware, however, that this often means that a customer wishing to integrate into a brownfield environment may have to adjust these scripts to fit their scenario.

Terraform scripts are wrapped up within an easy-to-use Bash script as well, for those customers who are unfamiliar with Hashicorp Configuration Language. This Bash script (labeled zsec in the archive downloaded from the Cloud Connector UI) provides an interactive prompting mechanism that administrators can use to instantiate their deployments. Simply run ./zsec up from your Bash interpreter and answer the on-screen prompts. The script will handle the rest! For those more familiar with Terraform, the archive contains all the .tf files necessary to customize the deployment to suit the environment.

  • The Starter Deployment Template will instantiate a single or multiple Cloud Connector appliances with associated Subnets, a workload Subnet, their respective Route Tables and routes, and a NAT Gateway.
  • The Starter Deployment Template with Load Balancer script will instantiate Azure Standard Load Balancer for High Availability.

In this video, we’ll explore:
[0:00 to 1:08] Pre-requisites and overview of Terraform
[1:08 to 1:30] How are Terraform scripts obtained, and what does each do?
[1:30 to 2:45] Understanding Terraform deployment types
[2:45 to 3:15] Executing Terraform via the zsec wrapper
[3:15 to 3:45] Key takeaways

Transcript

Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.

In this video, we’ll explore how Zscaler Cloud Connector can be provisioned within Microsoft Azure using Terraform scripts. Before you get started, make sure to check out the Azure Pre-Requisites video and Terraform Overview video linked in the description as there are some items that need to be understood and set up prior to running these scripts.

Zscaler Cloud Connector Terraform scripts are the easy button for integrating Zscaler Workload Protection into a cloud environment. Their value shines in the fact that they automate nearly every aspect of appliance deployment, from VNet creation to Subnet, Route Table, and NAT Gateway creation. Where required, Terraform scripts can even deploy test and management workstations. Be aware, however, that this often means that a customer wishing to integrate into a brownfield environment may have to adjust these scripts to fit their scenario.

Though Terraform scripts are natively written in Hashicorp Configuration Language, or HCL, Zscaler encapsulates these scripts within a Bash script to make it easier to deploy. Keep this in mind if you choose to deploy with this option as you will need a Bash interpreter - such as Azure CloudShell, a Linux machine, or a Windows machine running Subsystem for Linux. Navigate to the Administration menu, followed by Deployment Templates, then the Azure tab.

  • The Starter Deployment Template will instantiate a single Cloud Connector appliance with an associated Subnet, a workload Subnet, their respective Route Tables and routes, and a NAT Gateway.

  • The Starter Deployment Template with Load Balancer script will instantiate Azure Standard Load Balancer for high availability.

Download the script applicable to your scenario and unzip it. The directory contains several files: a ChangeLog, a ReadMe, a Variables file, the Terraform script directory, and the Bash script wrapper. Open the variables file - terraform.tfvars - with your favorite text editor. For all deployments, variables 1, 2, and 3 must be uncommented and filled in. Here, we will paste in our Provisioning URL, our Azure Key Vault URL, and uncomment the HTTP Probe Port. Though the HTTP port is optional, Zscaler highly recommends a port be entered here so that high availability can be configured. This port identifies a heartbeat service that the appliance uses to report its current health to the Azure Standard Load Balancer.

Notice that the file contains additional variables when scrolling down. This allows the user to customize the deployment for Brownfield environments. Though it won’t be the focus of this demonstration, these variables can also be uncommented and adjusted to suit your environment.

Run the zsec Bash script in your terminal by executing the command ./zsec up. Notice how the Bash script then prompts for the type of deployment you wish to execute. The base will install a VNet, workload Subnet, Route Table, NAT Gateway, and a test workload. Base CC will install a single Cloud Connector into the mix by adding additional Subnets and Route Tables. Base CC LB will add a second Cloud Connector appliance in a second availability zone, along with Microsoft Azure Standard Load Balancer. The remaining ‘custom’ options should be chosen if you modified any variables in the terraform.tfvars file outside of the first three, as discussed previously.

The Bash script then automatically installs Terraform, fetches the necessary providers, and executes the deployment. If this is the first time you’ve run Terraform, you may be prompted for your Azure Client ID, Client Secret, Tenant ID, Object ID, and Region. Once complete, notice that the script provides login information for your newly instantiated hosts. You can also log in to your Azure console to review Terraform’s changes.

  • Terraform is a highly customizable and easy option for deploying Cloud Connector. By default, it is well suited for Greenfield installation, but can be tailored for Brownfield with minimal effort.

  • You can download the latest Terraform scripts from the Cloud Connector portal via the Administration > Deployment Templates menu.

  • Make sure you have met the pre-requisites prior to running Terraform, then execute the zsec Bash script.

1 Like