This deployment type is intended for greenfield/pov/lab purposes. It will deploy a fully functioning sandbox environment in a new Resource Group/VNet with test workload VMs. Full set of resources provisioned listed below, but this will effectively create all network infrastructure dependencies for an Azure environment. Everything from "Base" deployment type (Creates 1 new Resource Group; 1 VNet with 1 public subnet and 1 private/workload subnet; 1 Centos server workload in the private subnet; 1 Bastion Host in the public subnet assigned a Public IP; and generates local key pair .pem file for ssh access).
Additionally: Creates 1 Cloud Connector private subnet associated to a NAT Gateway; 1 Cloud Connector VM; and workload private subnet UDR repointed to service interface IP of Cloud Connector.
- WSL2 DNS bug: If you are trying to run these Azure terraform deployments specifically from a Windows WSL2 instance like Ubuntu and receive an error containing a message similar to this "dial tcp: lookup management.azure.com on 172.21.240.1:53: cannot unmarshal DNS message" please refer here for a WSL2 resolv.conf fix. microsoft/WSL#5420 (comment).
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec up
- enter "greenfield"
- enter "base_1cc"
- follow the remainder of the authentication and configuration input prompts.
- script will detect client operating system and download/run a specific version of terraform in a temporary bin directory
- inputs will be validated and terraform init/apply will automatically exectute.
- verify all resources that will be created/modified and enter "yes" to confirm
Modify/populate any required variable input values in base_1cc/terraform.tfvars file and save.
From base_1cc directory execute:
- terraform init
- terraform apply
From the examples directory, run the zsec bash script that walks to all required inputs.
- ./zsec destroy
From base_1cc directory execute:
- terraform destroy
| Name | Version |
|---|---|
| terraform | >= 0.13.7, < 2.0.0 |
| azurerm | >= 3.108.0, <= 3.116 |
| local | ~> 2.5.0 |
| null | ~> 3.1.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| local | ~> 2.5.0 |
| random | ~> 3.3.0 |
| tls | ~> 3.4.0 |
| Name | Source | Version |
|---|---|---|
| bastion | ../../modules/terraform-zscc-bastion-azure | n/a |
| cc_identity | ../../modules/terraform-zscc-identity-azure | n/a |
| cc_nsg | ../../modules/terraform-zscc-nsg-azure | n/a |
| cc_vm | ../../modules/terraform-zscc-ccvm-azure | n/a |
| network | ../../modules/terraform-zscc-network-azure | n/a |
| workload | ../../modules/terraform-zscc-workload-azure | n/a |
| Name | Type |
|---|---|
| local_file.private_key | resource |
| local_file.testbed | resource |
| local_file.user_data_file | resource |
| random_string.suffix | resource |
| tls_private_key.key | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accelerated_networking_enabled | Enable/Disable accelerated networking support on all Cloud Connector service interfaces | bool |
true |
no |
| arm_location | The Azure Region where resources are to be deployed | string |
"westus2" |
no |
| azure_vault_url | Azure Vault URL | string |
n/a | yes |
| bastion_nsg_source_prefix | user input for locking down SSH access to bastion to a specific IP or CIDR range | string |
"*" |
no |
| cc_count | The number of Cloud Connectors to deploy. Validation assumes max for /24 subnet but could be smaller or larger as long as subnet can accommodate | number |
1 |
no |
| cc_subnets | Cloud Connector Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. | list(string) |
null |
no |
| cc_vm_managed_identity_name | Azure Managed Identity name to attach to the CC VM. E.g zspreview-66117-mi | string |
n/a | yes |
| cc_vm_managed_identity_rg | Resource Group of the Azure Managed Identity name to attach to the CC VM. E.g. edgeconnector_rg_1 | string |
n/a | yes |
| cc_vm_prov_url | Zscaler Cloud Connector Provisioning URL | string |
n/a | yes |
| ccvm_image_offer | Azure Marketplace Cloud Connector Image Offer | string |
"zia_cloud_connector" |
no |
| ccvm_image_publisher | Azure Marketplace Cloud Connector Image Publisher | string |
"zscaler1579058425289" |
no |
| ccvm_image_sku | Azure Marketplace Cloud Connector Image SKU | string |
"zs_ser_gen1_cc_01" |
no |
| ccvm_image_version | Azure Marketplace Cloud Connector Image Version | string |
"latest" |
no |
| ccvm_instance_type | Cloud Connector Image size | string |
"Standard_D2s_v3" |
no |
| ccvm_source_image_id | Custom Cloud Connector Source Image ID. Set this value to the path of a local subscription Microsoft.Compute image to override the Cloud Connector deployment instead of using the marketplace publisher | string |
null |
no |
| encryption_at_host_enabled | User input for enabling or disabling host encryption | bool |
true |
no |
| env_subscription_id | Azure Subscription ID where resources are to be deployed in | string |
n/a | yes |
| environment | Customer defined environment tag. ie: Dev, QA, Prod, etc. | string |
"Development" |
no |
| http_probe_port | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from Azure LB | number |
50000 |
no |
| lb_enabled | Default true. Only relevant for 'base' deployments. Configure Workload Route Table to default route next hop to the CC Load Balancer IP passed from var.lb_frontend_ip. If false, default route next hop directly to the CC Service IP passed from var.cc_service_ip | bool |
false |
no |
| managed_identity_subscription_id | Azure Subscription ID where the User Managed Identity resource exists. Only required if this Subscription ID is different than env_subscription_id | string |
null |
no |
| name_prefix | The name prefix for all your resources | string |
"zscc" |
no |
| network_address_space | VNet IP CIDR Range. All subnet resources that might get created (public, workload, cloud connector) are derived from this /16 CIDR. If you require creating a VNet smaller than /16, you may need to explicitly define all other subnets via public_subnets, workload_subnets, cc_subnets, and route53_subnets variables | string |
"10.1.0.0/16" |
no |
| owner_tag | Customer defined owner tag value. ie: Org, Dept, username, etc. | string |
"zscc-admin" |
no |
| public_subnets | Public/Bastion Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. | list(string) |
null |
no |
| reuse_nsg | Specifies whether the NSG module should create 1:1 network security groups per instance or 1 network security group for all instances | bool |
"false" |
no |
| support_access_enabled | If Network Security Group is being configured, enable a specific outbound rule for Cloud Connector to be able to establish connectivity for Zscaler support access. Default is true | bool |
true |
no |
| tls_key_algorithm | algorithm for tls_private_key resource | string |
"RSA" |
no |
| workload_count | The number of Workload VMs to deploy | number |
1 |
no |
| workloads_subnets | Workload Subnets to create in VNet. This is only required if you want to override the default subnets that this code creates via network_address_space variable. | list(string) |
null |
no |
| zones | Specify which availability zone(s) to deploy VM resources in if zones_enabled variable is set to true | list(string) |
[ |
no |
| zones_enabled | Determine whether to provision Cloud Connector VMs explicitly in defined zones (if supported by the Azure region provided in the location variable). If left false, Azure will automatically choose a zone and module will create an availability set resource instead for VM fault tolerance | bool |
false |
no |
| zssupport_server | destination IP address of Zscaler Support access server. IP resolution of remotesupport.<zscaler_customer_cloud>.net | string |
"199.168.148.101" |
no |
| Name | Description |
|---|---|
| testbedconfig | Azure Testbed results |