[VIDEO] ZPA Terraform provider Video Series Ep4 - Server Groups

When configuring an application segment within ZPA, you must identify the server group that contains the servers hosting the defined applications.

There are two types of server groups you can configure:

  • You can create a server group and manually add servers you’ve explicitly defined.
  • You can create a server group with dynamic server discovery enabled so that ZPA discovers the appropriate servers for your applications as users request them. If you use this method, you do not need to manually define each server in the server group.

Terraform Registry Example: Terraform Registry

In this video, we’ll explore

Timeline:

0:00:04;18 – 0:00:15;04 – Introduction
0:00:15;07 – 0:00:21;18 – Pre-Requisites
0:00:19;22 – 0:01:57;16 – Server Group Concepts
0:01:58;00 – 0:02:34;06 – Server Groups – Dynamic Discovery Enabled
0:02:34;09 – 0:03:15;00 – Server Groups – Dynamic Discovery Disabled
0:03:21;12 – 0:04:04;22 – Terraform Registry Documentation
0:04:05;13 – 0:04:57;22 – Server Groups – Dynamic Discovery Enabled – Configuration
0:04:57;23 – 0:06:19;17 – Server Groups – Dynamic Discovery Disabled – Configuration
0:06:19;17 – 0:07:00;00 – Summary

Transcript

Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.

In this video, we’ll go through the different types of Server Group resources that can be created and managed via the ZPA Terraform provider.

Part 1
When creating a Server Group via the Terraform provider, it is important to understand a few important concepts.

First, There are 2 types of server group resources dynamic and manual, and it is always dependent on having an app connector group attached to it.

A Server group can be associated with multiple app connector groups regardless of the mode it is configured. By default, it will be set as dynamic mode; however, if setting up the resource to operate in manual mode, you must specify an application server resource.

A Server Group resource is required when configuring other constructs such as application segments; however, it can be optionally configured when selecting an app connector group in an access policy.

Part 2
In this example, we have an app connector group resource on the left-hand-side and a server group resource on the right.

Notice that, even though it is possible to create the app connector group resource by itself, creating the server group resource depends on the fact that an app connector group already exists.

The Terraform provider will point out these dependencies in the apply process, in case any of them are missing.

Part 3
In this other example, when creating an access policy rule, you may choose to select an app connector group resource, which is considered optional in this instance;

however, if you decide to select a specific app connector group in your access policy, you may optionally also choose a Server group by which traffic hitting this rule will be processed by.

Part 4
This diagram describes the workflow followed by Terraform to create a Server Group resource in dynamic mode

Terraform will first look for an existing app connector group ID during the application process. If that ID exists, it stores that information in memory and proceeds to create the server group resource.

During the creation of the Server Group resource, it then attaches the previously stored App connector group ID to the new Server Group.

Because the app_connector_group parameter is a list of IDs, a single server group can be attached to multiple app connector group IDs.

Part 5
This next diagram describes the workflow followed by Terraform to create a Server Group resource in manual mode.

Similar to the dynamic mode, Terraform will first look for an existing app connector group ID during the apply process.

If that ID exists, it stores that information in memory; however, in manual mode, ZPA requires that an application server resource ID be associated with this server group object using the parameter “servers”, followed by a list of application server IDs.

In other words, you can associate 1 or more application server resources to a server group.

Once Terraform is able to store the ID of both the app connector group and application server in memory it then proceeds to create the server group resource.

Part 6
To see an example of a server group resource, navigate to the Terraform registry documentation and search for zscaler. Then select the Documentation tab and navigate to the Server Group resource option on the left-hand side.

You can then copy the desired configuration snippet and paste in your code editor.

The first part gives us an example of how to configure a dynamic server group.

The second example shows us how to configure a manual server group. At the bottom, is the list of both optional and required parameters.

Part 7
To configure the server group resource in dynamic mode, open your preferred code editor, and paste the code from the terraform registry documentation. Edit the parameters such as name and description according to your needs.

Notice that you must already have an app connector group created or you can create a new one if needed.

If you already have an app connector group created, you can instruct terraform to use the app connector group data source to query the ID of the existing app connector group.

Part 8:
We can then run terraform apply to initiate the provisioning of our newly configured server group resource in dynamic mode. As you can see, we now have a single new server group resource added to our ZPA tenant.

Part 9:
To configure the server group resource in manual mode, we’ll repeat the same server group configuration block used in the previous example; however, in this example, we’ll set the “dynamic_discovery” option to false

As a result, we must then add the parameter “servers”, and within that parameter provide a list of application server IDs.

You can also create a brand-new application server resource or reference an existing one via the data source application server you’d like to associate with this server group object.

Notice that, Terraform won’t allow the creation of a server group in manual mode unless an application server resource ID is provided.

We will talk about cross-dependencies between an application server and a server group in the next video.

Part 9
Finally, we can run the command terraform apply, to create both our server group and application server resources.

In this example, I am using the optional flag called --auto-approve, which will prevent Terraform from asking for confirmation.

In the end, we have our server group in manual mode with the dynamic discovery option set to false, and our list of application servers as specified in our configuration.

In summary:
Server Groups can be created in 2 modes: Dynamic and Manual
It depends on an App Connector Group and can be associated with multiple App Connector Groups.
It cannot be deleted if attached to an App Connector Group
When configuring an application segment resource, a server group is required.
A Server Group can optionally be associated with an access policy when selectively setting an App Connector Group
Server Groups in manual mode are dependent on an application server resource; however, application server resources are not dependent on a server group and can be created by itself

2 Likes