icon-cloud-connector.svg
Cloud & Branch Connector

Troubleshooting Cloud Connector with Microsoft Azure

This article provides troubleshooting information and guidelines about Cloud Connector deployment in Microsoft Azure. You can learn about different issues, potential causes, and corresponding solutions for the deployed Cloud Connector.

  • The following tables list provisioning and deployment issues and their corresponding troubleshooting actions.

    Provisioning Issues

    Potential CausesTroubleshooting Actions
    Deployed Cloud Connector is not displayed in the Cloud & Branch Connector Admin Portal
    • Check whether user data is missing or is provided in an incorrect format.
      You can verify this by reviewing the Azure KeyVault entries, or by reviewing the User Data file located on the appliance here: /etc/cloud/cloud.cfg.d/userdata.cfg
      • Verify the API Key (api-key).
      • Verify login credentials (username, password).
    • Verify that the provisioning URL is in the correct format and there are no spaces.
    • From the Zscaler Cloud & Branch Connector Admin Portal, verify that the Provisioning Template type is correct.
    • Check whether Cloud Connector has sufficient privileges to the Azure KeyVault. Ensure that the Get and List roles are assigned to that the User Managed Identity that the Cloud Connector is using.
    • Check whether Cloud Connector has sufficient privileges to enumerate Network Interfaces. Ensure that the Network Contributor role or Microsoft.Network/networkInterfaces/read permission is assigned to the User Managed Identity that the Cloud Connector is using. Also ensure that the Managed Identity has a sufficient scope that includes the Cloud Connector appliance.
    • Verify network security groups to ensure that Cloud Connectors can reach the Zscaler cloud.
    • Check whether the Cloud Connector could reach the package repository when using certificate authority.
      • Verify that you can do a package update to confirm that the package repository is reachable and certificates are valid. Run the sudo pkg update command.
    • Verify DNS resolution.
    Terraform script fails to create a VNet in a greenfield deployment.Check whether the user has surpassed the VNet creation limit for that region.

    Deployment Issues

    Potential CausesTroubleshooting Actions
    Cloud Connector is in the wrong geolocation in the Cloud & Branch Connector Admin Portal.
    • Verify that the outbound NAT and routing take the appropriate egress path. In the Cloud & Branch Connector Admin Portal, confirm the Public IP address.
    • If the Public IP address is correct, contact Zscaler Support.
    Cloud Connector is in an inactive state.

    Verify the following:

    • The registration and policy fetch are correct. Run the sudo januscli status command to check.
    • Cloud Connector instance is up and running within the Azure Management Console.
    • The Cloud & Branch Connector Admin Portal can be reached from your VNet/subnet.
    • Azure KeyVault has the correct secret credentials in case of a secrets rotation.
    • The network is connected. Verify the route tables, NAT gateway, and DNS.
    • The network security group is not blocking the Cloud Connector TCP/UDP 443 traffic.

    You cannot validate these conditions from the Command Line Interface (CLI) because it uses the management interface for the operation.

    In the Cloud & Branch Connector Admin Portal, the Zscaler Internet Access (ZIA) gateway IP address is not populated.From the Cloud & Branch Connector Admin Portal, check the ZIA gateway configuration. If the gateway configuration is not set correctly, contact Zscaler Support.
    Close

  • Potential CausesTroubleshooting Action
    Account not created.Contact Zscaler Support.
    Cloud Connector SKUs not enabled.Contact Zscaler Support.
    Authentication failed.Verify that the username and all credentials are valid. Confirm that the admin exists in the Cloud & Branch Connector Admin Portal.
    User could not access single sign-on (SSO) from the Cloud & Branch Connector Admin Portal.Contact Zscaler Support.
    Close

  • The traffic from the deployed Cloud Connector might not be able to reach internet applications.

    Check the following areas to isolate and identify what is preventing the traffic connection:

    Potential CausesTroubleshooting Action
    The firewall policy attached to the Cloud Connector.Verify that the ZIA firewall policy is not blocking any outbound traffic.
    The connectivity from the Cloud Connector to ZIA.

    Verify the following:

    • In the Cloud & Branch Connector Admin Portal, the ZIA Gateway is populated.
    • Session logs display the Cloud Connector self-traffic.
    • The Cloud & Branch Connector Admin Portal displays your tunnel insights.
    The ingress routing to the Cloud Connector.

    Verify the following:

    • The routing of the workload subnet.
    • The network security group on the workload subnet.
    • The security group for workloads.
    The egress path from the Cloud Connector.

    Verify the following:

    • The gateway configuration.
    • The forwarding policy in the Cloud & Branch Connector Admin Portal.
    • The network security group and other services on egress.
    The status of the Cloud Connector.

    Verify the following:

    • The virtual machine (VM) status of the Cloud Connector.
    • The service status of the Cloud Connector.
    Connectivity issues between Cloud Connectors within a group or cluster.

    Verify the following:

    • Within a given connector group or cluster, all Cloud Connectors communicate with each other via their service interface(s) to share information such as fully qualified domain name (FQDN)/wildcard FQDN synchronization.
    • No firewall or security groups are blocking network communications between Cloud Connectors within a given VPC/VNet and their availability zones.

    Close

  • If your workloads are unable to access private applications, verify the following:

    • The destination can be reached via Zscaler Client Connector.
    • Cloud Connector can resolve ZPA destinations by sending a DNS request for a Zscaler Private Access (ZPA) destination from a workload directly to the IP address of a Cloud Connector service interface. The response should be an IP address from the IP pool defined in the Cloud Connector DNS policy. If that fails, check ZPA access and forwarding policies.
    • The workload can resolve ZPA destinations by sending a regular DNS request for a ZPA destination. If that fails, check the Azure or workload DNS settings.
    • The IP addresses/ranges that ZPA uses are routed through the Cloud Connector service interfaces.
    • The Cloud Connector DNS and forwarding logs are operational.
    • The ZPA events are operational.
    • If FQDN-based ZPA App Segments are in use, Cloud Connector is able to resolve ZPA destinations by sending a DNS request for a ZPA destination from a workload directly to the IP address of a Cloud Connector service interface.
    Close

  • If you are unable to monitor traffic in the ZIA Admin Portal, verify the following:

    • The Cloud Connector location created in the ZIA Admin Portal is registered in the ZIA Admin Portal.
    • In the ZIA Admin Portal, the tunnel logs are showing traffic to ZIA.
    • When you filter traffic in the Cloud & Branch Connector Admin Portal, you use the ZIA filter.
    • On the Cloud & Branch Connector Admin Portal's Traffic Forwarding Rules page, the traffic forwarding method is ZIA.
    Close

  • If you are unable to monitor traffic in the ZPA Admin Portal, verify the following:

    • Cloud Connector is registered in the ZPA Admin Portal.
    • In the Cloud & Branch Connector Admin Portal, the forwarding filter is ZPA.
    • In the ZPA Admin Portal, policy configuration is correct. Ensure that access policies and client forwarding policies are working.
    Close

  • If your traffic is not restored after Cloud Connector's connection failure, verify the following:

    • The Cloud Connector backup instance is in good health with the high-availability model.
    • In the Azure Load Balancer, the Cloud Connector instance is healthy.
    Close

  • To avoid connectivity disruptions and/or unreachable destinations, IP forwarding must be enabled on the Cloud Connector service interface. This setting is enabled by default, but it could be inadvertently disabled manually or via automation.

    To verify the IP forwarding setting:

    1. Log in to the Azure Portal.
    2. Click Network interfaces.
    3. Select the interface and then select Settings > IP configurations.

    4. In the IP Settings section, select Enable IP forwarding.

    Close

Occasionally, you might need to access the Cloud Connector appliance’s command-line interface (CLI) for troubleshooting or monitoring purposes.

Network operations, such as ping, use the management interface. The CLI only provides limited insights to the service interface and no options to directly test its connectivity.

You can access the CLI via the following methods:

  • A Bastion host is a lightweight VM instance installed within the same subnet as the Cloud Connector service interface. This option leverages Secure Socket Shell (SSH) as the connection protocol. Hence, you must have access to the SSH keypair used when instantiating the appliances.

    To access the appliance management interface remotely:

    1. Log in to the Microsoft Azure portal.

    2. On the Azure dashboard, navigate to the Search resources, service, and docs (G+/) field.

    3. In the Search resources, service, and docs (G+/) field, enter Public IP addresses. Then, under Services, select Public IP addresses. The Public IP addresses page appears.

    4. On the Public IP addresses page, click Create. The Create public IP address page appears.

    5. On the Create public IP address page, on the Basics tab, under Project details, configure the following settings:
      • Subscription: Select your desired subscription.
      • Resource group: Select your desired resource group to apply policies to the public IP address.
    6. Under Instance details, select a region for the public IP address.
    7. Under Configuration details, configure the following settings:
      • Name: Enter a name for the public IP address.
      • IP Version: Select IPv4.
      • SKU: Select Standard or Basic.
      • Availability zone: Select your desired availability zone.
      • Tier: Select Regional or Global.
      • IP address assignment: Select Static.
      • Routing preference: Select Microsoft network or Internet, depending on your preference.
      • Idle timeout (minutes): The default idle timeout is set to 4 minutes.

      • DNS name label: (Optional) Choose a DNS name label.

    8. Click Next : Tags >.
    9. On the Tags tab, assign your desired name/value pairs, and then click Review + create.

    10. On the Review + create tab, click Create.

    11. On the Public IP addresses page, navigate to the public IP address you created, and then click the name.

    12. On your public IP address's Overview page, click Associate. The Associate public IP address window appears.

    13. In the Associate public IP address window, configure the following settings:
      1. Resource type: Select Network interface.
      2. Network interface: Select the network interface of your Bastion host.

    14. Click OK to confirm the association.

    15. In the Search resources, service, and docs (G+/) field, enter Route tables. Then, under Services, select Route tables. The Route tables page appears.

      Before creating or configuring your route table, identify your public IP Address. This is the address that your SSH management traffic comes from.

    16. On the Route tables page, select the name of the route table associated with your Bastion host.

    17. On your route table's Overview page, in the left-side navigation, under Settings, select Routes.

    18. On the Routes page, click Add.
    19. In the Add route window, configure the following settings:
      1. Route name: Enter a name for your route.
      2. Destination type: Select IP Addresses.
      3. Destination IP addresses/CIDR ranges: Enter your public IP address.
      4. Next hop type: Select Internet.
      5. Next hop address: Set this field only if the Next hop type is Virtual appliance.

    20. Click Add to confirm the route.

    21. In the Search resources, service, and docs (G+/) field, enter Network security groups. Then, under Services, select Network security groups. The Network security groups page appears.

    22. On the Network security groups page, select the name of the network security group associated with your Bastion host.
    23. On your network security group's Overview page, in the left-side navigation, under Settings, select Inbound security rules.
    24. On the Inbound security rules page, click Add.
    25. In the Add inbound security rule window, configure the following settings:
      • Source: Select IP Addresses.
      • Source IP addresses/CIDR ranges: Enter your source IP addresses/CIDR ranges.
      • Source port ranges: Enter your source port ranges.
      • Destination: Select IP Addresses.
      • Service: Select SSH.
      • Destination port ranges: This field is automatically set to 22.
      • Protocol: This field is automatically set to TCP.
      • Action: Select Allow.
      • Priority: Enter a number to designate the priority of this rule.
      • Name: Enter a name for this rule.
      • Description: (Optional) Enter a description of the rule.

    26. Click Add to confirm the inbound security rule configuration.

    27. Using your preferred SSH client, SSH from the management host to the Cloud Connector. The administrative login for the appliance is zsroot. The administrative login for the Bastion host varies depending on the operating system (OS) selected. For Linux terminal SSH clients using a Linux (Ubuntu) Bastion host, the command is ssh -i mySshKey.pem zsroot@10.0.50.106 -o "proxycommand ssh -W %h:%p -i mySshKey.pem ubuntu@100.64.0.1.
    Close

  • Cloud Connector appliances have a dedicated management interface installed, by default, in the same subnet as the Service Interface. This option leverages SSH as the connection protocol. Hence, you must have access to the SSH keypair used when instantiating the appliances.

    To access the appliance management interface remotely:

    1. Log in to the Microsoft Azure portal.

    2. On the Azure dashboard, navigate to the Search resources, service, and docs (G+/) field.

    3. In the Search resources, service, and docs (G+/) field, enter Public IP addresses. Then, under Services, select Public IP addresses. The Public IP addresses page appears.

    4. On the Public IP addresses page, click Create. The Create public IP address page appears.

    5. On the Create public IP address page, on the Basics tab, under Project details, configure the following settings:
      • Subscription: Select your desired subscription.
      • Resource group: Select your desired resource group to apply policies to the public IP address.
    6. Under Instance details, select a region for the public IP address.
    7. Under Configuration details, configure the following settings:
      • Name: Enter a name for the public IP address.
      • IP Version: Select IPv4.
      • SKU: Select Standard or Basic.
      • Availability zone: Select your desired availability zone.
      • Tier: Select Regional or Global.
      • IP address assignment: Select Static.
      • Routing preference: Select Microsoft network or Internet, depending on your preference.
      • Idle timeout (minutes): The default idle timeout is set to 4 minutes.

      • DNS name label: Choose a DNS name label.

    8. Click Next : Tags >.
    9. On the Tags tab, assign your desired name/value pairs, and then click Review + create.

    10. On the Review + create tab, click Create.

    11. On the Public IP addresses page, navigate to the public IP address you created, and then click the name.

    12. On your public IP address's Overview page, click Associate. The Associate public IP address window appears.

    13. In the Associate public IP address window, configure the following settings:
      • Resource type: Select Network interface.
      • Network interface: Select the network interface of your management interface.

    14. Click OK to confirm the association.

    15. In the Search resources, service, and docs (G+/) field, enter Route tables. Then, under Services, select Route tables. The Route tables page appears.

      Before creating or configuring your route table, identify your public IP address. This is the address that your SSH management traffic comes from.

    16. On the Route tables page, select the name of the route table associated with your management interface.

    17. On your route table's Overview page, in the left-side navigation, under Settings, select Routes.

    18. On the Routes page, click Add.
    19. In the Add route window, configure the following settings:
      • Route name: Enter a name for your route.
      • Destination type: Select IP Addresses.
      • Destination IP addresses/CIDR ranges: Enter your public IP address.
      • Next hop type: Select Internet.
      • Next hop address: Set this field only if the Next hop type is Virtual appliance.

    20. Click Add to confirm the route.

    21. In the Search resources, service, and docs (G+/) field, enter Network security groups. Then, under Services, select Network security groups (classic). The Network security groups page appears.

    22. On the Network security groups page, select the name of the network security group associated with your management interface.
    23. On your network security group's Overview page, in the left-side navigation, under Settings, select Inbound security rules.
    24. On the Inbound security rules page, click Add.
    25. In the Add inbound security rule window, configure the following settings:
      • Source: Select IP Addresses.
      • Source IP addresses/CIDR ranges: Enter your source IP addresses/CIDR ranges.
      • Source port ranges: Enter your source port ranges.
      • Destination: Select IP Addresses.
      • Service: Select SSH.
      • Destination port ranges: This field is automatically set to 22.
      • Protocol: This field is automatically set to TCP.
      • Action: Select Allow.
      • Priority: Enter a number to designate the priority of this rule.
      • Name: Enter a name for this rule.
      • Description: (Optional) Enter a description of the rule.

    26. Click Add to confirm the inbound security rule configuration.

    27. Using your preferred SSH client, SSH from the management host to the Cloud Connector. The administrative login for the appliance is zsroot. For Linux terminal SSH clients, the command is ssh -i mySshKey.pem zsroot@100.64.0.1.
    Close

  • Microsoft Azure offers a feature known as a Bastion subnet. This feature allocates a small percentage of available IP addresses in a subnet to the Bastion service and provides an entry point into your cloud network for management purposes.

    To access the CLI via the Bastion subnet:

    1. Log in to the Microsoft Azure Portal.

    2. On the Azure dashboard, navigate to the Search resources, service, and docs (G+/) field.

    3. In the Search resources, service, and docs (G+/) field, enter Virtual machines. Then, under Services, select Virtual machines. The Virtual machines page appears.

    4. On the Virtual machines page, select your desired Cloud Connector appliance.

    5. On the Cloud Connector appliance Overview page, click Connect.

    6. Select Bastion, then click Use Bastion.

      Ensure that the service is created within the VNet and Management subnet of your appliance so the appropriate connectivity exists.

    7. Under Create Bastion, click Deploy Bastion.

    8. After your Bastion has deployed, return to your Cloud Connector appliance Overview page.

    9. On the Overview page, under Operations, select Bastion.

    10. In the Bastion window, configure the following settings:
      • Username: Enter zsroot.
      • Authentication Type: Select SSH Private Key from Local File.
      • Local File: Navigate to and select your SSH Key.

    11. Click Connect.

    Close
Related Articles
Enabling Remote Assistance Enabling Remote AccessTroubleshooting Cloud Connector with Amazon Web ServicesTroubleshooting Cloud Connector with Microsoft AzureTroubleshooting Cloud Connector with Google Cloud PlatformTroubleshooting Cloud Connector with HashiCorp Vault for Google Cloud Platform