[VIDEO] ZPA Terraform provider Video Series Ep2 - Connector Groups

Zscaler recommends deploying App Connectors in groups for high availability and horizontal scaling. You can create new App Connector groups whenever you add a new App Connector using a new provisioning key.

Every App Connector belongs to a specific App Connector group, and every App Connector group should always be associated with at least one provisioning key and one Server group to serve any application.

App Connector Groups must be associated with applications that the App Connector can access (i.e., only assign App Connectors to applications that the App Connector is capable of reaching). ZPA selects the closest App Connector given the location of the user and the App Connector-to-application latency.


00:00 to 0:00:15:29 - Introduction
0:00:16;03 – 0:00:22;14 – Prerequisites
0:00:23;22 – 0:01:17;05 – App Connector Group Introduction
0:01:18;09 - 0:01:45;18 – ZPA Provider Documentation Portal
0:01:46;22 – 0:02:15;00 - Configuring App Connector Group
0:02:16;25 – 0:03:09;00 – Running Terraform
0:03:09;04 – 0:03:45;00 - Summary


Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.

In this video, we’ll go through how to create an app connector group using the ZPA Terraform provider.

Part 2
Before you proceed make sure you have the following pre-requisites explained in the first video of this series in place.

Part 3
An app connector group is one of the many required constructs when configuring the ZPA platform.

It can manage things such as automatic software updates of app connector appliances by having a particular schedule configured.

Other constructs such as provisioning keys and Server groups all depend on having the App connector group object associated with it.

Part 4
Once you execute the command Terraform apply, the Terraform plugin calls the ZPA App Connector Group endpoint, to start the provisioning of an App Connector group resource in the ZPA portal.

A few parameters are mandatory when configuring an app connector group such as:

  1. Name, Location, Latitude, and Longitude
    You can also manage things such as the version profile, which allows you to upgrade all app connector groups to a specific build, or take a more controlled approach to upgrade only selected app connector groups to a specific build.

Part 5
To see an example of an app connector group configuration, navigate to the Terraform registry, and type zpa in the search bar.

Navigate to the documentation tab, and scroll down to the App Connector Group section on the left-hand side.

Click in the zpa_app_connector_group resource and here you can use this configuration snippet by copying and pasting this example in your configuration file.

Part 6
To configure an app connector group open you preferred text editor. Make sure you have the Terraform provider block configuration properly set.

Create the zpa connector group resource block, and set up the required parameters accordingly.

As previously mentioned, the only required parameters in this configuration are the Name, Location, Latitude and Longitude, while all other parameters are considered optional.

Part 7
Finally, we can run the command terraform init (in order to initialize the terraform configuration directory)

We can also run the command terraform plan, which will provide us a preview of the actions Terraform will take to modify our ZPA tenant configuration.

In this case, Terraform is informing us that 1 resource will be added to our tenant if we decide to run Terraform apply.

We can then run the command terraform apply, and Terraform in this case will prompt us for confirmation to ensure we agree with the changes it is about to perform.

We can then type β€œyes” to confirm, and Terraform will proceed with the changes.

Part 8
An App Connector Group can manage automatic software updates of app connector appliances

Other constructs such as provisioning keys and server groups are always associated with an app connector group

An App Connector Group can also be associated with an Access Policy
to force traffic to be processed only by a specific group of app connector

The following parameters are required when creating an app connector group: Name, Location,
Latitude, and Longitude

Visit the Terraform registry for additional examples and the complete parameter list