[VIDEO] Location Templates / Provisioning Templates

Locations are one of the staples to policy enforcement within the Zero Trust Exchange. They identify the various networks from which your organization sends its traffic and, likewise, what sort of scrutiny the traffic should be subjected to. Cloud locations, such as AWS VPCs and Microsoft Azure VNets are no different. However, since Cloud Connector appliances dynamically learn of cloud locations and automatically populate ZIA and ZPA dashboards, a flexible option must exist that allows administrators to templatize the onboarding process - making it easier to ensure both existing and new cloud workloads adhere to organizational policy.

Furthermore, pinning newly learned cloud locations to the correct Location Template and its defined attributes is the job of a Provisioning Template. As part of the initialization process, Cloud Connector appliances get pre-configured to dial home using the Provisioning URL generated by the Provisioning Template. This Provisioning URL not only instructs the appliance on how to dial home, but also defines what attributes should be enabled or disabled on the Locations serviced by that appliance. Hence, multiple Provisioning Templates and URLs, as well as Location Templates, can be created for various portions of a multi-cloud environment to enable or disable required network services.

In this video, we’ll explore:
[0:00 to 0:58] What are Location Templates?
[0:58 to 1:14] How are Location Templates configured?
[1:14 to 2:10] What is a Provisioning Template? And how are they configured?
[2:10 to 2:50] What are the key takeaways?

Transcript

Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.
In this video, we’ll be exploring some of the pre-requisites to deploying Zscaler Cloud Connector - namely, Location and Provisioning Templates.

If you’ve been around Zscaler long enough, you already know about how Locations are used to identify the various networks from which your organization sends its traffic… such as AWS VPCs and Microsoft Azure VNets. When the Zscaler Zero Trust Exchange receives this traffic, it checks whether the traffic is from a known location. If the traffic is from a known location, the service processes the traffic based on the Location’s settings… such as whether the Location has Authentication, Firewall or Bandwidth Control enabled and proceeds accordingly. The Zero Trust Exchange can also apply Location-based policies that you configure and logs network activity by Location.

Zscaler Cloud Connector appliances automatically create Locations based on the Cloud Service Provider networks that they serve. Controlling which features are enabled or disabled for dynamically created Locations is the job of a Location Template.

Location Templates are configured under the Administration menu. Provide a name and, optionally, a Template Prefix. The Template Prefix will be prepended to all Locations this template is attached to in order to help make a Location more easily identifiable. Select the options you wish to enable and click the Save button.

The glue that binds a cloud network to a Location Template and, hence, a Location and its configured attributes is a Provisioning Template. Provisioning Templates. Provisioning Templates are configured under the Administration menu as well. Provide a name and description, then select the Location Template you wish to bind to all appliances registering under this Provisioning Template. Each Provisioning Template you create has its own unique Provisioning URL. Although Provisioning Templates can be shared across many Cloud Connector appliances, they are unique to each Cloud Service Provider… meaning AWS Provisioning Templates are exclusive of Microsoft Azure Provisioning Templates.

As part of the initialization process, Cloud Connector appliances get pre-configured to dial home using the Provisioning URL generated by the Provisioning Template. This Provisioning URL not only instructs the appliance on how to dial home, but also defines what attributes should be enabled or disabled on the Locations serviced by that appliance. Hence, multiple Provisioning Templates and URLs can be created for various portions of a multi-cloud environment to enable to disable required network services.

The cloud Provisioning URL is a prerequisite for deploying the Cloud Connector as a virtual machine (VM) in Amazon Web Services (AWS) and Microsoft Azure as it provides a registration endpoint for initializing Cloud Connector appliances.

To obtain a Provisioning URL, you need to configure Provisioning Template and a Location Template. The Provisioning URL binds the appliance to a Provisioning Template, which further binds the appliance to a Location Template and, ultimately, to a Location and its attributes.

Once created, the Provisioning URL can be used multiple times based on your requirements.

2 Likes

This is great! For customers and folks already familiar with ZIA locations for GRE/IPSEC tunnels, the gateway options you find in the Cloud Connector location templates offer the same capabilities (such as turn user authentication on/off, enabling firewall control, IPS control, etc).

As all location names are automatically generated in ZIA when Cloud Connectors are provisioned, they will use the prefix configured in these templates. Depending on your ZIA policy requirements you can create ZIA dynamic locations based on the prefix using the name value. This allows you to simplify the number of policy objects you might need to create in ZIA if you wish to apply such policy to all locations with these prefixes.

2 Likes