This deployment type is intended for brownfield/production purposes. By default, it will create 1 new VPC with 2 public subnets and 2 Cloud Connector private subnets; 1 IGW; 2 NAT Gateways; 4 Cloud Connector VMs (2 per subnet/AZ) routing to the NAT Gateway in their same AZ; generates local key pair .pem file for ssh access; Number of Cloud Connectors and subnets deployed, ability to use existing resources (VPC, subnets, IGW, NAT Gateways), toggle ZPA/R53 resources; generates local key pair .pem file for ssh access; Gateway Load Balancer auto registers service IPs to target group with health checks; VPC Endpoint Service; 2 GWLB Endpoints (1 in each Cloud Connector subnet)
Optional - First edit examples/cc_gwlb/terraform.tfvars with any "byo" variable values that already exist in your environment and save the file. From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "brownfield"
- enter "cc_gwlb"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in examples/cc_gwlb/terraform.tfvars file and save.
From cc_gwlb directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From cc_gwlb directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| aws | >= 5.32.0, <= 5.49.0 |
| local | ~> 2.2.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| cc_iam | ../../modules/terraform-zscc-iam-aws | n/a |
| cc_sg | ../../modules/terraform-zscc-sg-aws | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-aws | n/a |
| gwlb | ../../modules/terraform-zscc-gwlb-aws | n/a |
| gwlb_endpoint | ../../modules/terraform-zscc-gwlbendpoint-aws | n/a |
| network | ../../modules/terraform-zscc-network-aws | n/a |
| route53 | ../../modules/terraform-zscc-route53-aws | n/a |
| Name | Type |
|---|---|
| aws_key_pair.deployer | resource |
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| null_resource.cc_error_checker | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| aws_ami.cloudconnector | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acceptance_required | Whether to require manual acceptance of any VPC Endpoint registration attempts to the Endpoint Service or not. Default is false | bool |
false |
no |
| all_ports_egress_enabled | Default is true which creates an egress rule permitting the CC service interface to forward direct traffic on all ports and protocols. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| allowed_principals | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. ["arn:aws:iam::1234567890:root"]. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests |
list(string) |
[] |
no |
| ami_id | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc_count index | list(string) |
[ |
no |
| aws_region | The AWS region. | string |
"us-west-2" |
no |
| az_count | Default number of subnets to create based on availability zone | number |
2 |
no |
| byo_endpoint_service_name | Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format: "com.amazonaws.vpce.." | string |
null |
no |
| byo_iam | Bring your own IAM Instance Profile for Cloud Connector | bool |
false |
no |
| byo_iam_instance_profile_id | IAM Instance Profile ID for Cloud Connector association | list(string) |
null |
no |
| byo_igw | Bring your own AWS VPC for Cloud Connector | bool |
false |
no |
| byo_igw_id | User provided existing AWS Internet Gateway ID | string |
null |
no |
| byo_kms_key_alias | Requires var.ebs_encryption_enabled to be true. Set to null by default which is the AWS default managed/master key. Set as 'alias/' to use a custom KMS key | string |
null |
no |
| byo_mgmt_security_group_id | Management Security Group ID for Cloud Connector association | list(string) |
null |
no |
| byo_ngw | Bring your own AWS NAT Gateway(s) Cloud Connector | bool |
false |
no |
| byo_ngw_ids | User provided existing AWS NAT Gateway IDs | list(string) |
null |
no |
| byo_r53_subnet_ids | User provided existing AWS Subnet IDs reserved for ZPA/Route53 use | list(string) |
[] |
no |
| byo_security_group | Bring your own Security Group for Cloud Connector | bool |
false |
no |
| byo_service_security_group_id | Service Security Group ID for Cloud Connector association | list(string) |
null |
no |
| byo_subnet_ids | User provided existing AWS Subnet IDs | list(string) |
null |
no |
| byo_subnets | Bring your own AWS Subnets for Cloud Connector | bool |
false |
no |
| byo_vpc | Bring your own AWS VPC for Cloud Connector | bool |
false |
no |
| byo_vpc_id | User provided existing AWS VPC ID | string |
null |
no |
| cc_count | Default number of Cloud Connector appliances to create | number |
4 |
no |
| cc_instance_size | Cloud Connector Instance size. Determined by and needs to match the Cloud Connector Portal provisioning template configuration | string |
"small" |
no |
| cc_route_table_enabled | For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to Cloud Connector subnet(s). Default is true which means module will try to create new route tables | bool |
true |
no |
| cc_subnets | Cloud Connector Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_instance_type | Cloud Connector Instance Type | string |
"m6i.large" |
no |
| cloud_tags_enabled | Determines whether or not to create the cc_tags_policy IAM Policy and attach it to the CC IAM Role | bool |
false |
no |
| cross_zone_lb_enabled | Determines whether GWLB cross zone load balancing should be enabled or not | bool |
false |
no |
| deregistration_delay | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | number |
0 |
no |
| domain_names | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | map(any) |
{} |
no |
| ebs_encryption_enabled | true/false whether to enable EBS encryption on the root volume. Default is true | bool |
true |
no |
| ebs_volume_type | (Optional) Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp3 | string |
"gp3" |
no |
| flow_stickiness | Options are (Default) 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip) | string |
"5-tuple" |
no |
| gwlb_enabled | Default is true. Workload/Route 53 subnet route tables will point to vpc_endpoint_id via var.gwlb_endpoint_ids input. If false, these Route Tables will point to network_interface_id via var.cc_service_enis | bool |
true |
no |
| health_check_interval | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | number |
10 |
no |
| healthy_threshold | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | number |
2 |
no |
| hostname_type | Type of hostname for Amazon EC2 instances | string |
"resource-name" |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | number |
50000 |
no |
| mgmt_ssh_enabled | Default is true which creates an ingress rule permitting SSH traffic from the local VPC to the CC management interface. If false, the rule is not created. Value ignored if not creating a security group | bool |
true |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| owner_tag | populate custom owner tag attribute | string |
"zscc-admin" |
no |
| public_subnets | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| r53_route_table_enabled | For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to ZPA/Route 53 reserved subnet(s). Default is true which means module will try to create new route tables | bool |
true |
no |
| rebalance_enabled | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no_rebalance. Default: true | bool |
true |
no |
| resource_name_dns_a_record_enabled | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default is false | bool |
false |
no |
| reuse_iam | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | bool |
false |
no |
| reuse_security_group | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | bool |
false |
no |
| route53_subnets | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc_cidr variable. | list(string) |
null |
no |
| secret_name | AWS Secrets Manager Secret Name for Cloud Connector provisioning | string |
n/a | yes |
| support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| target_address | Route 53 DNS queries will be forwarded to these Zscaler Global VIP addresses | list(string) |
[ |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| unhealthy_threshold | The number of unsuccessful health checks required before an healthy target becomes unhealthy. Minimum 2 and maximum 10 | number |
3 |
no |
| vpc_cidr | VPC IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VPC smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables | string |
"10.1.0.0/16" |
no |
| workloads_enabled | Configure Workload Subnets, Route Tables, and associations if set to true | bool |
false |
no |
| zpa_enabled | Configure Route 53 Subnets, Route Tables, and Resolvers for ZPA DNS redirection | bool |
false |
no |
| zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101/32" |
no |
| Name | Description |
|---|---|
| testbedconfig | AWS Testbed results |