[VIDEO] - ZPA-AWS Automated Terraform Deployment

App Connectors provide the secure authenticated interface between a customer’s servers and the ZPA cloud. App Connectors can be deployed in several forms. Zscaler distributes a standard virtual machine (VM) image for deployment in enterprise data centers, local private cloud environments such as VMware, or public cloud environments such as Amazon Web Services (AWS) EC2. Additionally, Zscaler provides packages that can be installed on supported Linux distributions.

Zscaler’s Terraform module for App Connector deployment provides and “easy” button when deploying App Connector appliances. The Terraform modules can automate nearly every aspect of of appliance deployment, from VPC creation to Subnets, Route Tables, NAT Gateways, and IGW creation.

The Terraform modules described in this video can deploy both Greenfield and Brownfield environments; however, be aware, that additional adjustments may be required in case further customization is necessary to fit specific customer environments.

For those customers who are unfamiliar with HashiCorp Configuration Language (HCL), the module provides an easy-to-use Bash script. This Bash script (labeled zsac) provides an interactive prompting mechanism that administrators can use to instantiate their deployments. Simply run ./zsac up from your Bash interpreter and answer the on-screen prompts. The script will handle the rest! For those more familiar with Terraform, the module contains all the .tf files necessary to customize the deployment to suite their environment.

Important Links

In this video, we’ll explore


0:00:05;16 – 0:00:30;16 – Introduction
0:00:15;00 – 0:01:47;02 – Pre-Requisites and Terraform Overview
0:01:47;08 – 0:03:46;03 – Understanding Terraform Deployment Types
0:03:48;10 - 0:04:01;23 – Terraform Registry Documentation
0:04:02;23 – 0:04:29;15 – App Connector Automated Provisioning Workflow
0:04:31;03 – 0:04:46;21 – App Connector Module GitHub repository
0:04:46;27 – 0:07:19;10 – Executing Terraform via the zsac wrapper
0:07:19;13 – 0:08:15;00 – Key Takeaways


Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.

In this video, we’ll introduce a new Terraform Module Template to automate the deployment of the ZPA App Connector VMs in AWS.

This module also performs the full configuration management of the ZPA App Connector by leveraging the ZPA Terraform Provider post-provisioning for complete onboard in the ZPA Cloud.

Before you get started make sure to check out the AWS Pre-Requisites video and Terraform Overview video linked in the description as there are some items that you need to understand and set up prior to running these scripts.

We also recommend that you check out the ZPA Terraform Provider video series introduction for the pre-requisites necessary to utilizing the ZPA Terraform Provider for the complete onboard of the App Connector VM post provisioning.

Part 3

Zscaler App Connector Terraform Module is an easy button to automate your Day 0 and Day 1 operations when deploying App Connector Virtual machines in AWS.

The module was designed to automate nearly every aspect of appliance deployment, from VPC creation to Subnet, Route Table, NAT Gateway, and IGW creation.

Be aware, that customers wishing to use this module to deploy App Connectors into a brownfield environment may have to adjust these scripts to fit into their scenario.

Though Terraform scripts are natively written in Hashicorp Configuration Language, or HCL, Zscaler encapsulates these scripts within a Bash script to make it easier to deploy.

Keep this in mind if you choose to deploy with this option as you will need a Bash interpreter - such as AWS CloudShell, a Linux machine, or a Windows machine running Subsystem for Linux.

Part 4

The Terraform module for ZPA App Connector provides several deployment option models depending on your scenario.

The AC deployment type, will deploy

  • 1 x VPC
  • Route Tables
  • Internet Gateway
  • NAT Gateways
  • Public Subnets and Private Subnets
  • And a pair of App Connector VMs.

The AC_ASG deployment type, will deploy

  • 1 x VPC
  • Route Tables
  • 1 x Internet Gateway
  • 2 x NAT Gateways
  • 2 x Public Subnets
  • 2 x Private Subnets
  • 1 x Auto-Scaling group + Launch Template that spans across all App Connector Subnets

The next 3 deployment types are suitable for greenfield/PoV/Lab deployments and not recommended for production.

The Base deployment type, will not deploy any app connector VMs; however, it will deploy

  • 1 x VPC
  • Route tables
  • 1 x Internet Gateway
  • 1 x NAT Gateway
  • 1 x Public and Private Subnets
  • 1 x Bastion Host VM with an Elastic IP

The Base_AC deployment type, will deploy everything included in the Base deployment type such as:

  • 1 x VPC
  • Route Tables
  • 1 x Internet Gateway
  • NAT Gateways
  • Public and Private Subnets
  • 1 x Bastion Host VM with an Elastic IP
  • 2 x App Connector VMs in their respective availability zones.
    • Notice, that Zscaler recommends that App Connectors be deployed in a private subnet; however, if you decide to deploy to a public subnet, additional configuration is needed to enable the automatic dynamic IPv4 address assignment to the App connector VMs.

The Base_AC_ASG deployment type, is similar to the Base_AC deployment, but it will create an app connector Auto-Scaling Group and Launch Template spanning across all Subnets, and route through a NAT Gateway in their respective Availability Zone.

  • 1 x VPC
  • Route Tables
  • Internet Gateway
  • NAT Gateway
  • Public and Private Subnets
  • 1 x Bastion Host VM with an Elastic IP
  • 1 x Auto-Scaling group with a Launch Template

This Terraform module was designed to assist with scalable deployments by leveraging the Zscaler Private Access Terraform Provider, to complete the configuration management and full onboard of the App Connector VMs in the ZPA Cloud.

The module will automatically create An App Connector Group and Provisioning Keys; however, you can also reconfigure the parameters to utilize existing App Connector Group and provisioning key objects.

Once you select your deployment type, Terraform will download and install all necessary Providers, create a new app connector group and provisioning keys and once the VMs are up and running, the onboarding process will start automatically. With the onboard fully complete, the App Connectors will then show up in the management console.

To start with deployment, first navigate to the GitHub Repository, then click in Releases on the right hand-side and scroll down to the Assets section. Then download the module package to your local computer, and unzip the file.

You can now open your terminal, navigate to the module folder and then to the examples folder. The directory contains all the example deployments we’ve discussed so far, including a Bash Script wrapper that can be used for easy deployment.

Choose the desired deployment model and navigate to the appropriate directory. Open the variables file terraform.tfvars with your preferred text editor such as vi, vim, Visual Studio Code or Atom.

Variables 1 and 2 are present in all deployments, except Base deployments. Uncomment these variables if you want to create a brand-new App Connector Group and Provisioning Keys; Otherwise, skip to Step 3, where you can indicate to Terraform to utilize an existing Provisioning Key by uncommenting both variables.

You can also customize additional variables to fit your deployment such as region, the instance types and the number of availability zones.

Notice that the file contains additional variables when scrolling down. This allows the user to customize the deployment for Brownfield environments. Though it won’t be the focus of this demonstration, these variables can also be uncommented and adjusted to suit your environment.

To start with your deployment, run the zsac Bash script in your terminal by executing the command ./zsac up. The Bash script then prompts you for the type of deployment you wish to execute.

If this is the first time you are running Terraform, you may be prompted for your AWS Access Key, Secret Key, and Region.

You will also be prompted for your ZPA API credentials. In this case you must provide your Client ID, Client Secret and Customer ID.

If you already have a provisioning key you’d like to associate with this deployment, simply type yes, and the new app connector will be associated with the corresponding app connector group.

You can then lock down the security group by specifying the source IP address allowed to SSH the bastion host instance, which is allowed to access the App connector instances.

Finally, you will then be prompted for the instance type, number of instances, and the number of Availability zones where you’d like to deploy the ZPA App Connectors.

Once you provide the required information, the Bash script then automatically installs Terraform, fetches the necessary providers, and executes the deployment.

At the end of the deployment, the script will provide login information for your newly instantiated App Connector VMs, or you can also log in to your AWS and ZPA management consoles to review the Terraform changes

In Summary

  • Ensure that you have met the AWS pre-requisites prior to running Terraform, then execute the zsac Bash script by running the commands ./zsac up to start the deployment, or ./zsac destroy to deprovision.

  • Ensure you have met the ZPA Terraform Provider introduction pre-requisites

  • The ZPA App Connector Terraform modules are well suited for both Greenfield and brownfield deployments with minimal effort required.

  • The latest ZPA App Connector Terraform module can be downloaded from the GitHub repository

  • The module utilizes the ZPA Terraform Provider for automated onboard of App Connector VMs once the provisioning process is finalized

  • By default, the module will leverage ZPA Terraform Provider to provision a new App Connector Group and Provisioning Key, but can also be configured to use an existing App Connector Group and provisioning keys.

1 Like