• Pre-Deployment Template

  Use the Pre-Deployment Template (zs_cc_cf_template_zscc_macro) to create the pre-deployment resources you need to deploy and operate Cloud Connector in an existing VPC. This template creates the following resources:

  • AWS CloudFormation macro
  • AWS Lambda function
  • Identity and Access Management (IAM) role to access the AWS Secrets Manager
  • Permissions for invoking Lambda

  • See Resource Logs

    AWS::CloudFormation::Macro 
    AWS::IAM::Role
    AWS::Lambda::Function 
    AWS::Lambda::Permission

    Close

  Close
• Starter Deployment Template

  Use the Starter Deployment Template (zs_cc_cf_template_simple) to create the resources you need to deploy and operate Cloud Connector in an existing VPC. The template creates the following resources:

  • Instance Profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
  • AWS Lambda function
  • EC2 instance
  • Security group for Management interface
  • Security group for Service Interface
  • Service Network Interface
  • Network Interface Attachment

  After you upload the template to the AWS CloudFormation console, you must define the following parameters:

  • VPC ID
  • Availability zone of the subnets
  • Subnet ID of Cloud Connector
  • Cloud Connector instance key pair
  • Cloud Connector instance type (small, medium, or large)
  • Cloud Connector VM AWS EC2 instance type
  • Cloud Connector provisioning URL
  • Secrets Manager secret name (optional)
  • EBS encryption enablement
  • HTTP monitor probe port (optional)

  Ensure that you define the HTTP Monitor Probe Port parameter to check the liveliness of the designated Cloud Connectors and to achieve high availability.

  • See Resource Logs

    AWS::EC2::KeyPair::KeyName
    AWS::EC2::VPC::Id
    AWS::EC2::Subnet::Id
    AWS::EC2::SecurityGroup
    AWS::EC2::NetworkInterface
    AWS::IAM::ManagedPolicy
    AWS::IAM::Role
    AWS::IAM::InstanceProfile
    AWS::EC2::LaunchTemplate
    AWS::EC2::Instance
    AWS::EC2::NetworkInterfaceAttachment

    Close

  Close
• Add-on Template with Gateway Load Balancer (GWLB)

  Use the Add-on Template with GWLB (zs_cc_cf_template_gwlb) to load balance traffic across multiple Cloud Connectors. The template creates the following resources:

  • Gateway Load Balancer
  • Listener
  • Target group
  • VPC endpoint service
  • VPC endpoints

  After you upload the template to the AWS CloudFormation console, you must define the following parameters:

  • ZS CC instance IDs
  • ZS CC instance HTTP probe port

  Ensure that you define the HTTP Monitor Probe Port parameter to check the liveliness of the designated Cloud Connectors and to achieve high availability.

  • GWLB target failover rebalance strategy
  • GWLB flow stickiness strategy
  • Enable cross-zone load balancing

  With cross-zone load balancing, the Gateway Load Balancer distributes requests evenly across the Cloud Connector instances in all enabled Availability Zones. If you disable cross-zone load balancing, the Gateway Load Balancer distributes requests evenly across the Cloud Connector instances in the workload's Availability Zone only. Traffic forwarding across Availability Zones is subject to additional AWS charges.

  • See Resource Logs

    AWS::ElasticLoadBalancingV2::LoadBalancer
    AWS::ElasticLoadBalancingV2::Listener
    AWS::ElasticLoadBalancingV2::TargetGroup
    AWS::EC2::VPCEndpointService
    AWS::EC2::VPCEndpoint
    AWS::EC2::VPCEndpoint

    Close

  Close
• Add-on Template with ZPA

  Use the Add-on Template with ZPA (zs_cc_cf_template_zpa_r53) to create the resources you need to enable the Zscaler Private Access (ZPA) DNS resolver capability on the Cloud Connector in an existing VPC. The template creates the following resources:

  • Outbound Route 53 resolver
  • Security group
  • IAM role to access the AWS Secrets Manager
  • AWS Lambda function to retrieve the EC2 instance properties
  • Up to 10 Resolver rules, one per domain

  After you upload the template to the AWS CloudFormation console, you must define the following parameters:

  • Your Zscaler Cloud name
  • Your ZPA Cloud name
  • VPC ID
  • Outbound Resolver endpoints subnets
  • Resolver target IPs
  • Domain name(s) for ZPA application(s)

  • See Resource Logs

    AWS::CloudFormation::CustomResource
    AWS::EC2::SecurityGroup
    AWS::IAM::Role
    AWS::Lambda::Function
    AWS::Route53Resolver::ResolverEndpoint
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRule
    AWS::Route53Resolver::ResolverRuleAssociation  

    Close

  Close
• Starter Deployment Template with Auto Scaling and GWLB

  Before uploading this template to the AWS CloudFormation console, you must create a new Amazon Simple Storage Service (S3) bucket and upload the Zscaler Cloud Connector Lambda ZIP file. To learn more about Amazon S3, see Amazon S3 bucket for auto scaling prerequisites.

  Use the Starter Deployment Template with Auto Scaling and GWLB (zs_cc_cf_template_asg_gwlb) to create the resources you need to deploy and operate Cloud Connector with Auto Scaling in an existing VPC.

  To enable Auto Scaling, contact Zscaler Support.

  The template creates the following resources:

  • Launch template
  • Auto Scaling group
  • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
  • EC2 Instance
  • Management network interface
  • Service network interface
  • Security group for management interface
  • Security group for service interface
  • Network interface attachment
  • Lambda function
  • Log group
  • EventBridge rules
  • Gateway Load Balancer
  • Listener
  • Target group
  • VPC endpoint service
  • VPC endpoints

  After you upload the template to the AWS CloudFormation console, you must define the following parameters:

  • VPC ID
  • Availability Zone to deploy Zscaler Cloud Connector and GWLB/VPC endpoints
  • Subnet ID for the Zscaler Cloud Connector Auto Scaling Group
  • (Optional) Zscaler Cloud Connector AMI
  • Zscaler Cloud Connector instance key pair
  • (Optional) Existing IAM role to use for Zscaler Cloud Connector
  • (Optional) Zscaler Cloud Connector management interface security group
  • (Optional) Zscaler Cloud Connector service interface security group
  • AWS Secrets Manager secret name
  • Zscaler Cloud Connector instance size

  Currently, only small instance types are supported for Cloud Connector.

  • Cloud Connector VM AWS EC2 instance type
  • Cloud Connector provisioning URL
  • HTTP monitor probe port

  Ensure that you define the HTTP monitor probe port parameter to check the liveliness of the designated Cloud Connectors and to achieve high availability.

  • EBS encryption enablement
  • Lambda S3 bucket name
  • Lambda S3 key
  • Auto Scaling group minimum size
  • Auto Scaling group maximum size
  • Auto Scaling group reuse instances on scale-in
  • Auto Scaling group target CPU utilization value
  • Auto Scaling group warm pool enabled
  • Auto Scaling group warm pool state
  • Auto Scaling group warm pool minimum size
  • Auto Scaling group warm pool max group prepared capacity
  • Log group retention
  • GWLB target failover rebalance strategy
  • GWLB flow stickiness strategy
  • Enable cross-zone load balancing
  • VPC endpoint subnets to create VPC endpoints in (one per Availability Zone)
  • VPC endpoint service principals
  • Require acceptance for newly created VPC endpoints

  • See Resource Logs

    AWS::EC2::VPC::Id
    AWS::EC2::KeyPair::KeyName
    AWS::EC2::Image::Id
    AWS::EC2::SecurityGroup
    AWS::IAM::ManagedPolicy
    AWS::IAM::Role
    AWS::IAM::InstanceProfile
    AWS::EC2::LaunchTemplate
    AWS::AutoScaling::AutoScalingGroup
    AWS::AutoScaling::ScalingPolicy
    AWS::AutoScaling::WarmPool
    AWS::Logs::LogGroup
    AWS::Lambda::Function
    AWS::Events::Rule
    AWS::Lambda::Permission
    AWS::ElasticLoadBalancingV2::LoadBalancer
    AWS::ElasticLoadBalancingV2::TargetGroup
    AWS::ElasticLoadBalancingV2::Listener
    AWS::EC2::VPCEndpointService
    AWS::EC2::VPCEndpointServicePermissions
    AWS::EC2::VPCEndpoint

    Close

  Close

• Basic Deployment Templates

  • Starter Deployment Template

    Use the Starter Deployment Template (base_1cc) to deploy your Cloud Connector in a new VPC. The template creates the following resources:

    • VPC
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, SSM, Workload Tags)
    • Elastic IP address associated with NAT gateway
    • Cloud Connector VM
    • AWS Lambda function to retrieve the EC2 instance properties
    • Linux bastion host
    • Linux workload server
    • Internet gateway
    • NAT gateway
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Route tables for routing the workload traffic through the Cloud Connector

    • See Resource Logs

      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.bastion.data.aws_iam_policy_document.bastion_instance_assume_role_policy
      module.bastion.data.aws_partition.bastion_current_partition
      module.bastion.data.aws_ssm_parameter.amazon_linux_latest
      module.bastion.data.aws_vpc.selected
      module.bastion.aws_iam_instance_profile.bastion_host_profile
      module.bastion.aws_iam_role.bastion_iam_role
      module.bastion.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.bastion.aws_instance.bastion
      module.bastion.aws_security_group.bastion
      module.bastion.aws_security_group_rule.internet
      module.bastion.aws_security_group_rule.intranet
      module.bastion.aws_security_group_rule.ssh
      module.cc_iam.data.aws_iam_policy_document.instance_assume_role_policy
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[0]
      module.cc_vm.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_vm.data.aws_kms_alias.current_kms_arn[0]
      module.cc_vm.aws_instance.cc_vm[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[0]
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.aws_eip.eip[0]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table.workload_rt[0]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.workload_rt_association[0]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.workload_subnet[0]
      module.network.aws_vpc.vpc[0]
      module.workload.data.aws_partition.workload_current_partition
      module.workload.data.aws_ssm_parameter.amazon_linux_latest
      module.workload.data.aws_vpc.selected
      module.workload.data.local_sensitive_file.zscaler_root_cert
      module.workload.aws_iam_instance_profile.server_host_profile
      module.workload.aws_iam_role.node_iam_role
      module.workload.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.workload.aws_instance.server_host[0]
      module.workload.aws_security_group.node_sg
      module.workload.aws_security_group_rule.server_node_ingress_self
      module.workload.aws_security_group_rule.server_node_ingress_ssh

      Close

    Close
  • Starter Deployment Template with ZPA

    Use the Starter Deployment Template with ZPA (base_1cc_zpa) to deploy your Cloud Connector in a new VPC. The template creates the following resources:

    • VPC
    • Cloud Connector Subnet
    • Public Subnet
    • Private Subnet
    • Key Pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • Elastic IP address associated with NAT Gateway
    • Cloud Connector VM
    • Route 53 subnet, Resolver rules, and outbound endpoints
    • Linux bastion host
    • Linux workload server
    • Internet gateway
    • NAT gateway
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Route tables for routing the workload traffic through the Cloud Connector

    • See Resource Logs

      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.bastion.data.aws_iam_policy_document.bastion_instance_assume_role_policy
      module.bastion.data.aws_partition.bastion_current_partition
      module.bastion.data.aws_ssm_parameter.amazon_linux_latest
      module.bastion.data.aws_vpc.selected
      module.bastion.aws_iam_instance_profile.bastion_host_profile
      module.bastion.aws_iam_role.bastion_iam_role
      module.bastion.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.bastion.aws_instance.bastion
      module.bastion.aws_security_group.bastion
      module.bastion.aws_security_group_rule.internet
      module.bastion.aws_security_group_rule.intranet
      module.bastion.aws_security_group_rule.ssh
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_security_group.outbound_endpoint_sg[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_outbound_endpoint_tcp_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_outbound_endpoint_udp_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_outbound_endpoint_tcp_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_outbound_endpoint_udp_all[0]
      module.cc_vm.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_vm.data.aws_kms_alias.current_kms_arn[0]
      module.cc_vm.aws_instance.cc_vm[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[0]
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.aws_eip.eip[0]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table.route53_rt[0]
      module.network.aws_route_table.route53_rt[1]
      module.network.aws_route_table.workload_rt[0]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.route53_rt_asssociation[0]
      module.network.aws_route_table_association.route53_rt_asssociation[1]
      module.network.aws_route_table_association.workload_rt_association[0]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.route53_subnet[0]
      module.network.aws_subnet.route53_subnet[1]
      module.network.aws_subnet.workload_subnet[0]
      module.network.aws_vpc.vpc[0]
      module.route53.aws_route53_resolver_endpoint.zpa_r53_ep
      module.route53.aws_route53_resolver_rule.fwd_to_cc["appseg1"]
      module.route53.aws_route53_resolver_rule.fwd_to_cc["appseg2"]
      module.route53.aws_route53_resolver_rule.system["ZS-FreeBSD"]
      module.route53.aws_route53_resolver_rule.system["ZS-NTP"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZPABeta"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZPAGov"]
      module.route53.aws_route53_resolver_rule.system["ZS-Zpath"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZsCloud"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZsNet"]
      module.route53.aws_route53_resolver_rule.system["ZS-Zscaler"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerBeta"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerGov"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerOne"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerThree"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerTwo"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-FreeBSD"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-NTP"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPABeta"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPAGov"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zpath"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsCloud"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsNet"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zscaler"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerBeta"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerGov"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerOne"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerThree"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerTwo"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_to_cc["appseg1"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_to_cc["appseg2"]
      module.workload.data.aws_partition.workload_current_partition
      module.workload.data.aws_ssm_parameter.amazon_linux_latest
      module.workload.data.aws_vpc.selected
      module.workload.data.local_sensitive_file.zscaler_root_cert
      module.workload.aws_iam_instance_profile.server_host_profile
      module.workload.aws_iam_role.node_iam_role
      module.workload.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.workload.aws_instance.server_host[0]
      module.workload.aws_security_group.node_sg
      module.workload.aws_security_group_rule.server_node_ingress_self
      module.workload.aws_security_group_rule.server_node_ingress_ssh

      Close

    Close

  Close
• Deployment Templates with Gateway Load Balancer (GWLB)

  • Starter Deployment Template with GWLB

    Use the Starter Deployment Template with Gateway Load Balancer (base_cc_gwlb) to deploy your Cloud Connector in a new VPC. The template creates the following resources:

    • VPC
    • Gateway Load Balancer
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • Elastic IP address associated with NAT gateway
    • Two Cloud Connector VMs
    • Route 53 subnet, Resolver rules, and outbound endpoints
    • Linux bastion host
    • Linux workload server
    • Internet gateway
    • NAT gateway
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Route tables for routing the workload traffic through the Cloud Connector and for rerouting traffic to the second Cloud Connector

    • See Resource Logs

      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.bastion.data.aws_iam_policy_document.bastion_instance_assume_role_policy
      module.bastion.data.aws_partition.bastion_current_partition
      module.bastion.data.aws_ssm_parameter.amazon_linux_latest
      module.bastion.data.aws_vpc.selected
      module.bastion.aws_iam_instance_profile.bastion_host_profile
      module.bastion.aws_iam_role.bastion_iam_role
      module.bastion.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.bastion.aws_instance.bastion
      module.bastion.aws_security_group.bastion
      module.bastion.aws_security_group_rule.internet
      module.bastion.aws_security_group_rule.intranet
      module.bastion.aws_security_group_rule.ssh
      module.cc_iam.data.aws_iam_policy_document.cc_autoscale_lifecycle_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_get_secrets_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_metrics_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_session_manager_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_tags_policy_document
      module.cc_iam.data.aws_iam_policy_document.instance_assume_role_policy
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[1]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[2]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[3]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[1]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[2]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[3]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[1]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[2]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[3]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[1]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[2]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[3]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[1]
      module.cc_iam.aws_iam_role.cc_node_iam_role[2]
      module.cc_iam.aws_iam_role.cc_node_iam_role[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[3]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_mgmt_sg[1]
      module.cc_sg.aws_security_group.cc_mgmt_sg[2]
      module.cc_sg.aws_security_group.cc_mgmt_sg[3]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[1]
      module.cc_sg.aws_security_group.cc_service_sg[2]
      module.cc_sg.aws_security_group.cc_service_sg[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[3]
      module.cc_vm.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_vm.data.aws_kms_alias.current_kms_arn[0]
      module.cc_vm.aws_instance.cc_vm[0]
      module.cc_vm.aws_instance.cc_vm[1]
      module.cc_vm.aws_instance.cc_vm[2]
      module.cc_vm.aws_instance.cc_vm[3]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[1]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[2]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[3]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[1]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[2]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[3]
      module.gwlb.aws_lb.gwlb
      module.gwlb.aws_lb_listener.gwlb_listener
      module.gwlb.aws_lb_target_group.gwlb_target_group
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[0]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[1]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[2]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[3]
      module.gwlb_endpoint.data.aws_caller_identity.current
      module.gwlb_endpoint.data.aws_partition.current
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[0]
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[1]
      module.gwlb_endpoint.aws_vpc_endpoint_service.gwlb_vpce_service[0]
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_nat_gateway.ngw_selected[1]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[1]
      module.network.aws_eip.eip[0]
      module.network.aws_eip.eip[1]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_nat_gateway.ngw[1]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.cc_rt[1]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table.workload_rt[0]
      module.network.aws_route_table.workload_rt[1]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.cc_rt_asssociation[1]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.public_rt_association[1]
      module.network.aws_route_table_association.workload_rt_association[0]
      module.network.aws_route_table_association.workload_rt_association[1]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.cc_subnet[1]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.public_subnet[1]
      module.network.aws_subnet.workload_subnet[0]
      module.network.aws_subnet.workload_subnet[1]
      module.network.aws_vpc.vpc[0]
      module.workload.data.aws_partition.workload_current_partition
      module.workload.data.aws_ssm_parameter.amazon_linux_latest
      module.workload.data.aws_vpc.selected
      module.workload.data.local_sensitive_file.zscaler_root_cert
      module.workload.aws_iam_instance_profile.server_host_profile
      module.workload.aws_iam_role.node_iam_role
      module.workload.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.workload.aws_instance.server_host[0]
      module.workload.aws_instance.server_host[1]
      module.workload.aws_security_group.node_sg
      module.workload.aws_security_group_rule.server_node_ingress_self
      module.workload.aws_security_group_rule.server_node_ingress_ssh

      Close

    Close
  • Starter Deployment Template with GWLB and ZPA

    Use the Starter Deployment Template with Gateway Load Balancer and ZPA (base_cc_gwlb_zpa) to deploy your Cloud Connector in a new VPC and to load balance traffic across multiple Cloud Connectors. Route 53 endpoints direct DNS resolver capability for ZPA. The template creates the following resources:

    • VPC
    • Gateway Load Balancer
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • Elastic IP address associated with NAT gateway
    • Two Cloud Connector VMs
    • Linux bastion host
    • Linux workload server
    • Internet gateway
    • NAT gateway
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Route tables for routing the workload traffic through the Cloud Connector and for rerouting traffic to the second Cloud Connector
    • Route 53 subnet, Resolver rules, and outbound endpoints

    • See Resource Logs

      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.bastion.data.aws_iam_policy_document.bastion_instance_assume_role_policy
      module.bastion.data.aws_partition.bastion_current_partition
      module.bastion.data.aws_ssm_parameter.amazon_linux_latest
      module.bastion.data.aws_vpc.selected
      module.bastion.aws_iam_instance_profile.bastion_host_profile
      module.bastion.aws_iam_role.bastion_iam_role
      module.bastion.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.bastion.aws_instance.bastion
      module.bastion.aws_security_group.bastion
      module.bastion.aws_security_group_rule.internet
      module.bastion.aws_security_group_rule.intranet
      module.bastion.aws_security_group_rule.ssh
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[1]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[2]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[3]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[1]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[2]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[3]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[1]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[2]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[3]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[1]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[2]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[3]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[1]
      module.cc_iam.aws_iam_role.cc_node_iam_role[2]
      module.cc_iam.aws_iam_role.cc_node_iam_role[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[3]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_mgmt_sg[1]
      module.cc_sg.aws_security_group.cc_mgmt_sg[2]
      module.cc_sg.aws_security_group.cc_mgmt_sg[3]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[1]
      module.cc_sg.aws_security_group.cc_service_sg[2]
      module.cc_sg.aws_security_group.cc_service_sg[3]
      module.cc_sg.aws_security_group.outbound_endpoint_sg[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_outbound_endpoint_tcp_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_outbound_endpoint_udp_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_outbound_endpoint_tcp_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_outbound_endpoint_udp_all[0]
      module.cc_vm.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_vm.data.aws_kms_alias.current_kms_arn[0]
      module.cc_vm.aws_instance.cc_vm[0]
      module.cc_vm.aws_instance.cc_vm[1]
      module.cc_vm.aws_instance.cc_vm[2]
      module.cc_vm.aws_instance.cc_vm[3]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[1]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[2]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[3]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[1]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[2]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[3]
      module.gwlb.aws_lb.gwlb
      module.gwlb.aws_lb_listener.gwlb_listener
      module.gwlb.aws_lb_target_group.gwlb_target_group
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[0]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[1]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[2]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[3]
      module.gwlb_endpoint.data.aws_caller_identity.current
      module.gwlb_endpoint.data.aws_partition.current
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[0]
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[1]
      module.gwlb_endpoint.aws_vpc_endpoint_service.gwlb_vpce_service[0]
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_nat_gateway.ngw_selected[1]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[1]
      module.network.aws_eip.eip[0]
      module.network.aws_eip.eip[1]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_nat_gateway.ngw[1]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.cc_rt[1]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table.route53_rt[0]
      module.network.aws_route_table.route53_rt[1]
      module.network.aws_route_table.workload_rt[0]
      module.network.aws_route_table.workload_rt[1]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.cc_rt_asssociation[1]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.public_rt_association[1]
      module.network.aws_route_table_association.route53_rt_asssociation[0]
      module.network.aws_route_table_association.route53_rt_asssociation[1]
      module.network.aws_route_table_association.workload_rt_association[0]
      module.network.aws_route_table_association.workload_rt_association[1]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.cc_subnet[1]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.public_subnet[1]
      module.network.aws_subnet.route53_subnet[0]
      module.network.aws_subnet.route53_subnet[1]
      module.network.aws_subnet.workload_subnet[0]
      module.network.aws_subnet.workload_subnet[1]
      module.network.aws_vpc.vpc[0]
      module.route53.aws_route53_resolver_endpoint.zpa_r53_ep
      module.route53.aws_route53_resolver_rule.fwd_to_cc["appseg1"]
      module.route53.aws_route53_resolver_rule.fwd_to_cc["appseg2"]
      module.route53.aws_route53_resolver_rule.system["ZS-FreeBSD"]
      module.route53.aws_route53_resolver_rule.system["ZS-NTP"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZPABeta"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZPAGov"]
      module.route53.aws_route53_resolver_rule.system["ZS-Zpath"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZsCloud"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZsNet"]
      module.route53.aws_route53_resolver_rule.system["ZS-Zscaler"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerBeta"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerGov"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerOne"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerThree"]
      module.route53.aws_route53_resolver_rule.system["ZS-ZscalerTwo"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-FreeBSD"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-NTP"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPABeta"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPAGov"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zpath"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsCloud"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsNet"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zscaler"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerBeta"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerGov"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerOne"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerThree"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerTwo"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_to_cc["appseg1"]
      module.route53.aws_route53_resolver_rule_association.r53_rule_association_to_cc["appseg2"]
      module.workload.data.aws_partition.workload_current_partition
      module.workload.data.aws_ssm_parameter.amazon_linux_latest
      module.workload.data.aws_vpc.selected
      module.workload.data.local_sensitive_file.zscaler_root_cert
      module.workload.aws_iam_instance_profile.server_host_profile
      module.workload.aws_iam_role.node_iam_role
      module.workload.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.workload.aws_instance.server_host[0]
      module.workload.aws_instance.server_host[1]
      module.workload.aws_security_group.node_sg
      module.workload.aws_security_group_rule.server_node_ingress_self
      module.workload.aws_security_group_rule.server_node_ingress_ssh

      Close

    Close
  • Custom Deployment Template with GWLB

    Use the Custom Deployment Template with Gateway Load Balancer (cc_gwlb) to deploy your Cloud Connector in a new or existing VPC. The template creates the following resources:

    • VPC
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Internet gateway
    • NAT gateway
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • Elastic IP address associated with NAT gateway
    • Cloud Connector appliance
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Gateway Load Balancer
    • Listener
    • Target group
    • VPC endpoint service
    • VPC endpoints
    • (Optional) Route 53 outbound endpoints
    • (Optional) Route 53 Resolver rules
    • (Optional) Route 53 security group
    • (Optional) Route 53 subnet

    • See Resource Logs

      [0]-[1] indicates default values where two duplicate/like resources (like cloud connectors) would be created
      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[1]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[2]
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[3]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[1]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[2]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[3]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[1]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[2]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[3]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[1]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[2]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[3]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[1]
      module.cc_iam.aws_iam_role.cc_node_iam_role[2]
      module.cc_iam.aws_iam_role.cc_node_iam_role[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[3]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[1]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[2]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[3]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_mgmt_sg[1]
      module.cc_sg.aws_security_group.cc_mgmt_sg[2]
      module.cc_sg.aws_security_group.cc_mgmt_sg[3]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[1]
      module.cc_sg.aws_security_group.cc_service_sg[2]
      module.cc_sg.aws_security_group.cc_service_sg[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_12002[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[3]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[1]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[2]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_all[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[3]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[1]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[2]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_https_local[3]
      module.cc_vm.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_vm.data.aws_kms_alias.current_kms_arn[0]
      module.cc_vm.aws_instance.cc_vm[0]
      module.cc_vm.aws_instance.cc_vm[1]
      module.cc_vm.aws_instance.cc_vm[2]
      module.cc_vm.aws_instance.cc_vm[3]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[1]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[2]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_0[3]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[0]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[1]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[2]
      module.cc_vm.aws_network_interface.cc_vm_nic_index_1[3]
      module.gwlb.aws_lb.gwlb
      module.gwlb.aws_lb_listener.gwlb_listener
      module.gwlb.aws_lb_target_group.gwlb_target_group
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[0]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[1]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[2]
      module.gwlb.aws_lb_target_group_attachment.gwlb_target_group_attachment[3]
      module.gwlb_endpoint.data.aws_caller_identity.current
      module.gwlb_endpoint.data.aws_partition.current
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[0]
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[1]
      module.gwlb_endpoint.aws_vpc_endpoint_service.gwlb_vpce_service[0]
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_nat_gateway.ngw_selected[1]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[1]
      module.network.aws_eip.eip[0]
      module.network.aws_eip.eip[1]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_nat_gateway.ngw[1]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.cc_rt[1]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.cc_rt_asssociation[1]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.public_rt_association[1]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.cc_subnet[1]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.public_subnet[1]
      module.network.aws_vpc.vpc[0]

      Close

    Close

  Close
• Deployment Templates with Auto Scaling

  • Starter Deployment Template with Auto Scaling and GWLB

    Use the Starter Deployment Template with Auto Scaling and Gateway Load Balancer (base_cc_gwlb_asg) to deploy your Cloud Connector in a new VPC.

    To enable Auto Scaling, contact Zscaler Support.

    The template creates the following resources:

    • VPC
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Internet gateway
    • NAT gateway
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • IAM policy for lifecycle actions
    • IAM policy for CloudWatch metrics
    • IAM policy for Lambda logs
    • CloudWatch EventBridge rules for Lambda
    • Cloudwatch log group
    • Elastic IP address associated with NAT gateway
    • Cloud Connector appliance
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Gateway Load Balancer
    • Listener
    • Target group
    • VPC endpoint service
    • VPC endpoints
    • Linux bastion EC2 with automatic public IP
    • Linux bastion IAM role
    • Linux bastion security group
    • Linux workload EC2 in a private subnet
    • Linux workload IAM role
    • Linux workload security group
    • Linux workload route table sending default route next-hop VPC endpoint
    • Launch template
    • Auto Scaling group
    • Lambda function
    • Lambda permissions
    • [Optional] SNS topic for email alerts

    • See Resource Logs

      [0]-[1] indicates default values where two duplicate/like resources (like cloud connectors) would be created
      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.asg_lambda.data.aws_iam_policy_document.lambda_autoscale_lifecycle_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_get_secrets_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_logs_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_metrics_policy_document
      module.asg_lambda.data.aws_secretsmanager_secret.lambda_secret_name
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_instance_termination_event_rule
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_lifecycle_event_rule
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_scheduler_event_rule
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_instance_termination_event_target
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_lifecycle_event_target
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_scheduler_event_target
      module.asg_lambda.aws_cloudwatch_log_group.asg_cloudwatch_log_group
      module.asg_lambda.aws_iam_policy.lambda_autoscale_lifecycle_policy
      module.asg_lambda.aws_iam_policy.lambda_get_secrets_policy
      module.asg_lambda.aws_iam_policy.lambda_logs_policy
      module.asg_lambda.aws_iam_policy.lambda_metrics_policy
      module.asg_lambda.aws_iam_role.asg_lambda_iam_role
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_autoscale_lifecycle_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_get_secrets_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_logs_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_metrics_attachment
      module.asg_lambda.aws_lambda_function.asg_lambda_function
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_instance_termination_permission
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_lifecycle_permission
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_scheduler_event_permission
      module.bastion.data.aws_iam_policy_document.bastion_instance_assume_role_policy
      module.bastion.data.aws_ssm_parameter.amazon_linux_latest
      module.bastion.data.aws_vpc.selected
      module.bastion.aws_iam_instance_profile.bastion_host_profile
      module.bastion.aws_iam_role.bastion_iam_role
      module.bastion.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.bastion.aws_instance.bastion
      module.bastion.aws_security_group.bastion
      module.bastion.aws_security_group_rule.internet
      module.bastion.aws_security_group_rule.intranet
      module.bastion.aws_security_group_rule.ssh
      module.cc_asg.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_asg.data.aws_kms_alias.current_kms_arn[0]
      module.cc_asg.data.aws_sns_topic.cc_asg_topic_selected[0]
      module.cc_asg.aws_autoscaling_attachment.cc_asg_attachment_gwlb[0]
      module.cc_asg.aws_autoscaling_attachment.cc_asg_attachment_gwlb[1]
      module.cc_asg.aws_autoscaling_group.cc_asg[0]
      module.cc_asg.aws_autoscaling_group.cc_asg[1]
      module.cc_asg.aws_autoscaling_notification.cc_asg_notifications[0]
      module.cc_asg.aws_autoscaling_policy.cc_asg_cpu_utilization_policy[0]
      module.cc_asg.aws_autoscaling_policy.cc_asg_cpu_utilization_policy[1]
      module.cc_asg.aws_launch_template.cc_launch_template[0]
      module.cc_asg.aws_sns_topic.cc_asg_topic[0]
      module.cc_asg.aws_sns_topic_subscription.cc_asg_topic_email_subscription[0]
      module.cc_iam.data.aws_iam_policy_document.cc_autoscale_lifecycle_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_get_secrets_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_metrics_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_session_manager_policy_document
      module.cc_iam.data.aws_iam_policy_document.instance_assume_role_policy
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_policy.cc_autoscale_lifecycle_policy[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_autoscale_lifecycle_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.gwlb.aws_lb.gwlb
      module.gwlb.aws_lb_listener.gwlb_listener
      module.gwlb.aws_lb_target_group.gwlb_target_group
      module.gwlb_endpoint.data.aws_caller_identity.current
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[0]
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[1]
      module.gwlb_endpoint.aws_vpc_endpoint_service.gwlb_vpce_service
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_nat_gateway.ngw_selected[1]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[1]
      module.network.aws_eip.eip[0]
      module.network.aws_eip.eip[1]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_nat_gateway.ngw[1]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.cc_rt[1]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table.workload_rt[0]
      module.network.aws_route_table.workload_rt[1]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.cc_rt_asssociation[1]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.public_rt_association[1]
      module.network.aws_route_table_association.workload_rt_association[0]
      module.network.aws_route_table_association.workload_rt_association[1]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.cc_subnet[1]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.public_subnet[1]
      module.network.aws_subnet.workload_subnet[0]
      module.network.aws_subnet.workload_subnet[1]
      module.network.aws_vpc.vpc[0]
      module.workload.data.aws_ssm_parameter.amazon_linux_latest
      module.workload.data.aws_vpc.selected
      module.workload.aws_iam_instance_profile.server_host_profile
      module.workload.aws_iam_role.node_iam_role
      module.workload.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.workload.aws_instance.server_host[0]
      module.workload.aws_instance.server_host[1]
      module.workload.aws_security_group.node_sg
      module.workload.aws_security_group_rule.server_node_ingress_self
      module.workload.aws_security_group_rule.server_node_ingress_ssh 

      Close

    Close
  • Starter Deployment Template with Auto Scaling, GWLB, and ZPA

    Use the Starter Deployment Template with Auto Scaling, GWLB, and ZPA (base_cc_gwlb_asg_zpa) to deploy your Cloud Connector in a new VPC.

    To enable Auto Scaling, contact Zscaler Support.

    The template creates the following resources:

    • VPC
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Internet gateway
    • NAT gateway
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • IAM policy for lifecycle actions
    • IAM policy for CloudWatch metrics
    • IAM policy for Lambda logs
    • CloudWatch EventBridge rules for Lambda
    • CloudWatch log group
    • Elastic IP address associated with NAT gateway
    • Cloud Connector appliance
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Gateway Load Balancer
    • Listener
    • Target group
    • VPC endpoint service
    • VPC rndpoints
    • Linux bastion EC2 with automatic public IP
    • Linux bastion IAM role
    • Linux bastion security group
    • Linux workload EC2 in private subnet
    • Linux workload IAM role
    • Linux workload security group
    • Linux workload route table sending default route next-hop VPC endpoint
    • Launch template
    • Auto Scaling group
    • Lambda function
    • Lambda permissions
    • (Optional) SNS topic for email alerts
    • (Optional) Route 53 outbound endpoints
    • (Optional) Route 53 Resolver rules
    • (Optional) Route 53 security group
    • (Optional) Route 53 subnet

    • See Resource Logs

      [0]-[1] indicates default values where two duplicate/like resources (like cloud connectors) would be created
      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.asg_lambda.data.aws_iam_policy_document.lambda_autoscale_lifecycle_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_get_secrets_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_logs_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_metrics_policy_document
      module.asg_lambda.data.aws_secretsmanager_secret.lambda_secret_name
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_instance_termination_event_rule
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_lifecycle_event_rule
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_scheduler_event_rule
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_instance_termination_event_target
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_lifecycle_event_target
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_scheduler_event_target
      module.asg_lambda.aws_cloudwatch_log_group.asg_cloudwatch_log_group
      module.asg_lambda.aws_iam_policy.lambda_autoscale_lifecycle_policy
      module.asg_lambda.aws_iam_policy.lambda_get_secrets_policy
      module.asg_lambda.aws_iam_policy.lambda_logs_policy
      module.asg_lambda.aws_iam_policy.lambda_metrics_policy
      module.asg_lambda.aws_iam_role.asg_lambda_iam_role
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_autoscale_lifecycle_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_get_secrets_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_logs_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_metrics_attachment
      module.asg_lambda.aws_lambda_function.asg_lambda_function
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_instance_termination_permission
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_lifecycle_permission
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_scheduler_event_permission
      module.bastion.data.aws_iam_policy_document.bastion_instance_assume_role_policy
      module.bastion.data.aws_ssm_parameter.amazon_linux_latest
      module.bastion.data.aws_vpc.selected
      module.bastion.aws_iam_instance_profile.bastion_host_profile
      module.bastion.aws_iam_role.bastion_iam_role
      module.bastion.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.bastion.aws_instance.bastion
      module.bastion.aws_security_group.bastion
      module.bastion.aws_security_group_rule.internet
      module.bastion.aws_security_group_rule.intranet
      module.bastion.aws_security_group_rule.ssh
      module.cc_asg.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_asg.data.aws_kms_alias.current_kms_arn[0]
      module.cc_asg.data.aws_sns_topic.cc_asg_topic_selected[0]
      module.cc_asg.aws_autoscaling_attachment.cc_asg_attachment_gwlb[0]
      module.cc_asg.aws_autoscaling_attachment.cc_asg_attachment_gwlb[1]
      module.cc_asg.aws_autoscaling_group.cc_asg[0]
      module.cc_asg.aws_autoscaling_group.cc_asg[1]
      module.cc_asg.aws_autoscaling_notification.cc_asg_notifications[0]
      module.cc_asg.aws_autoscaling_policy.cc_asg_cpu_utilization_policy[0]
      module.cc_asg.aws_autoscaling_policy.cc_asg_cpu_utilization_policy[1]
      module.cc_asg.aws_launch_template.cc_launch_template[0]
      module.cc_asg.aws_sns_topic.cc_asg_topic[0]
      module.cc_asg.aws_sns_topic_subscription.cc_asg_topic_email_subscription[0]
      module.cc_iam.data.aws_iam_policy_document.cc_autoscale_lifecycle_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_get_secrets_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_metrics_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_session_manager_policy_document
      module.cc_iam.data.aws_iam_policy_document.instance_assume_role_policy
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_policy.cc_autoscale_lifecycle_policy[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_autoscale_lifecycle_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.gwlb.aws_lb.gwlb
      module.gwlb.aws_lb_listener.gwlb_listener
      module.gwlb.aws_lb_target_group.gwlb_target_group
      module.gwlb_endpoint.data.aws_caller_identity.current
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[0]
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[1]
      module.gwlb_endpoint.aws_vpc_endpoint_service.gwlb_vpce_service
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_nat_gateway.ngw_selected[1]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[1]
      module.network.aws_eip.eip[0]
      module.network.aws_eip.eip[1]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_nat_gateway.ngw[1]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.cc_rt[1]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table.workload_rt[0]
      module.network.aws_route_table.workload_rt[1]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.cc_rt_asssociation[1]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.public_rt_association[1]
      module.network.aws_route_table_association.workload_rt_association[0]
      module.network.aws_route_table_association.workload_rt_association[1]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.cc_subnet[1]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.public_subnet[1]
      module.network.aws_subnet.workload_subnet[0]
      module.network.aws_subnet.workload_subnet[1]
      module.network.aws_vpc.vpc[0]
      module.workload.data.aws_ssm_parameter.amazon_linux_latest
      module.workload.data.aws_vpc.selected
      module.workload.aws_iam_instance_profile.server_host_profile
      module.workload.aws_iam_role.node_iam_role
      module.workload.aws_iam_role_policy_attachment.ssm_managed_instance_core
      module.workload.aws_instance.server_host[0]
      module.workload.aws_instance.server_host[1]
      module.workload.aws_security_group.node_sg
      module.workload.aws_security_group_rule.server_node_ingress_self
      module.workload.aws_security_group_rule.server_node_ingress_ssh
      module.route53[0].data.aws_security_group.selected
      module.route53[0].aws_route53_resolver_endpoint.zpa_r53_ep
      module.route53[0].aws_route53_resolver_rule.fwd_to_cc["appseg1"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-FreeBSD"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-NTP"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZPABeta"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZPAGov"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-Zpath"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZsCloud"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZsNet"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-Zscaler"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerBeta"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerGov"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerOne"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerThree"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerTwo"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-FreeBSD"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-NTP"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPABeta"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPAGov"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zpath"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsCloud"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsNet"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zscaler"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerBeta"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerGov"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerOne"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerThree"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerTwo"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_to_cc["appseg1"]  

      Close

    Close
  • Custom Deployment Template with Auto Scaling and GWLB

    Use the Custom Deployment Template with Auto Scaling and Gateway Load Balancer (cc_gwlb_asg) to deploy your Cloud Connector in a new or existing VPC.

    To enable Auto Scaling, contact Zscaler Support.

    The template creates the following resources:

    • VPC
    • Cloud Connector subnet
    • Public subnet
    • Private subnet
    • Internet gateway
    • NAT gateway
    • Key pair for SSH access
    • Instance profile with IAM role and required policy permissions (Secrets Manager, Systems Manager [SSM], Workload Tags)
    • IAM policy for lifecycle actions
    • IAM policy for CloudWatch metrics
    • IAM policy for Lambda logs
    • CloudWatch EventBridge rules for Lambda
    • CloudWatch log group
    • Elastic IP address associated with NAT gateway
    • Cloud Connector appliance
    • Management interface
    • Service interface
    • Network security group for management interface
    • Network security group for service interface
    • Gateway Load Balancer
    • Listener
    • Target group
    • VPC endpoint service
    • VPC endpoints
    • Launch template
    • Auto Scaling group
    • Lambda function
    • Lambda permissions
    • (Optional) SNS topic for email alerts
    • (Optional) Route 53 outbound endpoints
    • (Optional) Route 53 Resolver rules
    • (Optional) Route 53 security group
    • (Optional) Route 53 subnet

    • See Resource Logs

      [0]-[1] indicates default values where two duplicate/like resources (like cloud connectors) would be created
      data.aws_ami.cloudconnector
      aws_key_pair.deployer
      local_file.private_key
      local_file.testbed
      local_file.user_data_file
      random_string.suffix
      tls_private_key.key
      module.asg_lambda.data.aws_iam_policy_document.lambda_autoscale_lifecycle_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_get_secrets_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_logs_policy_document
      module.asg_lambda.data.aws_iam_policy_document.lambda_metrics_policy_document
      module.asg_lambda.data.aws_secretsmanager_secret.lambda_secret_name
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_instance_termination_event_rule
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_lifecycle_event_rule
      module.asg_lambda.aws_cloudwatch_event_rule.asg_cloudwatch_scheduler_event_rule
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_instance_termination_event_target
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_lifecycle_event_target
      module.asg_lambda.aws_cloudwatch_event_target.asg_cloudwatch_scheduler_event_target
      module.asg_lambda.aws_cloudwatch_log_group.asg_cloudwatch_log_group
      module.asg_lambda.aws_iam_policy.lambda_autoscale_lifecycle_policy
      module.asg_lambda.aws_iam_policy.lambda_get_secrets_policy
      module.asg_lambda.aws_iam_policy.lambda_logs_policy
      module.asg_lambda.aws_iam_policy.lambda_metrics_policy
      module.asg_lambda.aws_iam_role.asg_lambda_iam_role
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_autoscale_lifecycle_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_get_secrets_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_logs_attachment
      module.asg_lambda.aws_iam_role_policy_attachment.lambda_metrics_attachment
      module.asg_lambda.aws_lambda_function.asg_lambda_function
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_instance_termination_permission
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_lifecycle_permission
      module.asg_lambda.aws_lambda_permission.asg_cloudwatch_scheduler_event_permission
      module.cc_asg.data.aws_ebs_default_kms_key.current_kms_key[0]
      module.cc_asg.data.aws_kms_alias.current_kms_arn[0]
      module.cc_asg.data.aws_sns_topic.cc_asg_topic_selected[0]
      module.cc_asg.aws_autoscaling_attachment.cc_asg_attachment_gwlb[0]
      module.cc_asg.aws_autoscaling_attachment.cc_asg_attachment_gwlb[1]
      module.cc_asg.aws_autoscaling_group.cc_asg[0]
      module.cc_asg.aws_autoscaling_group.cc_asg[1]
      module.cc_asg.aws_autoscaling_notification.cc_asg_notifications[0]
      module.cc_asg.aws_autoscaling_policy.cc_asg_cpu_utilization_policy[0]
      module.cc_asg.aws_autoscaling_policy.cc_asg_cpu_utilization_policy[1]
      module.cc_asg.aws_launch_template.cc_launch_template[0]
      module.cc_asg.aws_sns_topic.cc_asg_topic[0]
      module.cc_asg.aws_sns_topic_subscription.cc_asg_topic_email_subscription[0]
      module.cc_iam.data.aws_iam_policy_document.cc_autoscale_lifecycle_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_get_secrets_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_metrics_policy_document
      module.cc_iam.data.aws_iam_policy_document.cc_session_manager_policy_document
      module.cc_iam.data.aws_iam_policy_document.instance_assume_role_policy
      module.cc_iam.data.aws_secretsmanager_secret.cc_secret_name
      module.cc_iam.aws_iam_instance_profile.cc_host_profile[0]
      module.cc_iam.aws_iam_policy.cc_autoscale_lifecycle_policy[0]
      module.cc_iam.aws_iam_policy.cc_get_secrets_policy[0]
      module.cc_iam.aws_iam_policy.cc_metrics_policy[0]
      module.cc_iam.aws_iam_policy.cc_session_manager_policy[0]
      module.cc_iam.aws_iam_role.cc_node_iam_role[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_autoscale_lifecycle_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_get_secrets_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_metrics_attachment[0]
      module.cc_iam.aws_iam_role_policy_attachment.cc_session_manager_attachment[0]
      module.cc_sg.data.aws_vpc.selected
      module.cc_sg.aws_security_group.cc_mgmt_sg[0]
      module.cc_sg.aws_security_group.cc_service_sg[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_mgmt_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_all[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_tcp_443[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_123[0]
      module.cc_sg.aws_vpc_security_group_egress_rule.egress_cc_service_udp_443[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.cc_mgmt_ingress_ssh[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_geneve[0]
      module.cc_sg.aws_vpc_security_group_ingress_rule.ingress_cc_service_health_check[0]
      module.gwlb.aws_lb.gwlb
      module.gwlb.aws_lb_listener.gwlb_listener
      module.gwlb.aws_lb_target_group.gwlb_target_group
      module.gwlb_endpoint.data.aws_caller_identity.current
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[0]
      module.gwlb_endpoint.aws_vpc_endpoint.gwlb_vpce[1]
      module.gwlb_endpoint.aws_vpc_endpoint_service.gwlb_vpce_service
      module.network.data.aws_availability_zones.available
      module.network.data.aws_internet_gateway.igw_selected
      module.network.data.aws_nat_gateway.ngw_selected[0]
      module.network.data.aws_nat_gateway.ngw_selected[1]
      module.network.data.aws_subnet.cc_subnet_selected[0]
      module.network.data.aws_subnet.cc_subnet_selected[1]
      module.network.aws_eip.eip[0]
      module.network.aws_eip.eip[1]
      module.network.aws_internet_gateway.igw[0]
      module.network.aws_nat_gateway.ngw[0]
      module.network.aws_nat_gateway.ngw[1]
      module.network.aws_route_table.cc_rt[0]
      module.network.aws_route_table.cc_rt[1]
      module.network.aws_route_table.public_rt[0]
      module.network.aws_route_table_association.cc_rt_asssociation[0]
      module.network.aws_route_table_association.cc_rt_asssociation[1]
      module.network.aws_route_table_association.public_rt_association[0]
      module.network.aws_route_table_association.public_rt_association[1]
      module.network.aws_subnet.cc_subnet[0]
      module.network.aws_subnet.cc_subnet[1]
      module.network.aws_subnet.public_subnet[0]
      module.network.aws_subnet.public_subnet[1]
      module.network.aws_vpc.vpc[0]
      module.route53[0].data.aws_security_group.selected
      module.route53[0].aws_route53_resolver_endpoint.zpa_r53_ep
      module.route53[0].aws_route53_resolver_rule.fwd_to_cc["appseg1"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-FreeBSD"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-NTP"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZPABeta"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZPAGov"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-Zpath"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZsCloud"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZsNet"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-Zscaler"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerBeta"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerGov"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerOne"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerThree"]
      module.route53[0].aws_route53_resolver_rule.system["ZS-ZscalerTwo"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-FreeBSD"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-NTP"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPABeta"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZPAGov"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zpath"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsCloud"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZsNet"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-Zscaler"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerBeta"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerGov"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerOne"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerThree"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_system["ZS-ZscalerTwo"]
      module.route53[0].aws_route53_resolver_rule_association.r53_rule_association_to_cc["appseg1"]

      Close

    Close

  Close

This section describes the resources created when deploying Cloud Connector using a Terraform script. To learn more about deploying Cloud Connector in the Azure Marketplace, refer to Deploying Zscaler Cloud Connector with Microsoft Azure.

Use the templates in the Terraform repository to create the deployment resources required to deploy and operate Cloud Connector in a new or existing VPC.

GCP Deployment Templates