[VIDEO] Call Home

When issues arise, as they often do, how can we guarantee that we capture enough information to not only remediate the issue but also identify what caused it and prevent it from happening again? This is the job of the Call Home functionality within Cloud Connector. As Cloud Connector appliances process cloud workload traffic, the Call Home process periodically captures log files and reports this information to Zscaler engineering. In the event your appliance experiences a problem, Zscaler engineering then immediately has access to the information necessary to both remediate the issue and perform a root-cause analysis.

The feature works by establishing a limited two-way communication channel between the customer’s AWS account and Zscaler’s AWS account. The Cloud Connector appliance, using its configured and attached IAM role, then assumes the callhome-delegation-role configured within Zscaler’s AWS account. If authorized, temporary credentials will then be passed back to the Cloud Connector appliance. These credentials are then used to authenticate to the Zscaler S3 bucket where the Cloud Connector will post its log files. Zscaler engineering can then collect the posted files from the S3 bucket and begin diagnosis.

In this video, we’ll explore:
[0:00 to 0:41] What is Call Home?
[0:41 to 1:28] How does Call Home work?
[1:28 to 3:13] How do you configure Call Home?
[3:13 to 4:10] What are the key takeaways?

Transcript

Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.
In this video, we’ll discuss how you can set up the Cloud Connector appliance to utilize Call Home functionality within AWS.

Call Home is built-in functionality to export certain data and statistics to Zscaler in the occurrence of a fatal event in the Cloud Connector VM - such as instance crashes, failure to boot, etc. These statistics are used by Zscaler engineering to diagnose and rectify any issues encountered, or to perform root-cause analysis. It is highly recommended that Call Home functionality be enabled when building new Cloud Connector appliances in order to assist with any future troubleshooting efforts.

The feature works by establishing limited 2-way communication between the customer’s AWS account and Zscaler’s AWS account. In the event of a failure or issue, the Call Home functionality is invoked. The Cloud Connector appliance, using its configured and attached IAM role, then attempts to assume the callhome-delegation-role configured within Zscaler’s AWS account. If authorized, temporary credentials will then be passed back to the Cloud Connector appliance. These credentials are then used to authenticate to the Zscaler S3 bucket where the Cloud Connector will post its log files. Zscaler engineering can then collect the posted files from the S3 bucket and begin diagnosis.

There are two steps to configure Call Home. First, the necessary policy needs to be added to the IAM role attached to the Cloud Connector appliance and second, the ARN of that role needs to be provided to Zscaler support. This will ensure a mutual trust exists between the two entities.

To begin, navigate to the EC2 Instances dashboard of your AWS account. Find the EC2 instance for the Cloud Connector appliance. Scroll down to the Instance IAM Role details and click on the role shown. In the permissions tab, click on the Add permissions button, followed by Create inline policy. Choose the JSON tab. In the blank field that appears, enter the following info shown on your screen. A copy of this information will be placed in the description of this video as well:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDelegationForCallhome",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::223544365242:role/callhome-delegation-role"
        }
    ]
}

Please note that Terraform and CloudFormation scripts will eventually be adjusted to perform this step for you automatically. Hence, depending on when you’re watching this video, you may not need to adjust your IAM Role. As a matter of best practice, however, you should review the configured roles and permissions to both ensure they align with organization security policy and for the presence of the displayed permission for Call Home.

As a final step in establishing 2-way trust, copy the ARN of the updated IAM role attached to your appliance. This ARN must be supplied to Zscaler engineering to be added to our policy. Please open a support ticket and provide the ARN for each of your Cloud Connector IAM roles in use. Each Cloud Connector maintains its own IAM role and, hence, ARN… so ensure you include all ARNs in the ticket.

That’s it! The Cloud Connector will now use the Call Home functionality to report failures directly to Zscaler engineering. To test this functionality, you can do so from the command line of the appliance itself. Once logged in, enter the root shell and execute the following command:
januscli callhome backup \--instance-dir /sc/instances/edgeconnector0 \--paths /sc/instances/edgeconnector0/core/

…by default, the command will pack up the displayed paths and export them to Zscaler:

/etc/janus/
/var/run/janus*
/sc/instances/edgeconnector0/conf/
/sc/instances/edgeconnector0/logs/

Should the Call Home fail, ensure that the trust relationship exists and there are no 400 errors - such as a 403 Unauthorized - and that space exists on the appliance itself to generate the archives to be posted. If in doubt, please contact Zscaler support for more information.

– Cloud Connector appliances can automatically export logs and statistical information to Zscaler engineering for troubleshooting and root-cause analysis via Call Home
– Call Home works by establishing mutual trust between the Cloud Connector appliance IAM Role and Zscaler. In the event of issues, this trust can be leveraged to deposit log archives into Zscaler’s S3 bucket
– Terraform and CloudFormation will automatically add the necessary IAM permissions, but you should review them as a matter of best practice. You may need to manually add the IAM policy, depending on when you’re watching this video
– Open a Zscaler support ticket to have the Cloud Connector IAM Role ARNs added to the Zscaler Trust Relationship. Remember, each Cloud Connector has a separate IAM Role and ARN, so ensure all of them are provided

1 Like