icon-unified.svg
Experience Center

Configuring Internet & SaaS Virtual Service Edge for Amazon Web Services with GWLB

Zscaler supports standalone Internet & SaaS Virtual Service Edge for production deployments on Amazon Web Services (AWS) with Gateway Load Balancer (GWLB). An organization can deploy the Virtual Service Edge instance on an EC2 Instance, on AWS with GWLB.

Before you begin deployment, contact Zscaler Support to request a share of the Virtual Service Edge AMI. Provide your AWS account ID and AWS region in which you want the AMI, except for China, as the Virtual Service Edge AMI is unavailable in this region (alternatively, you can consider China Premium Internet Access for the China region). After deployment, the Virtual Service Edge VM receives automatic software updates from the Zscaler cloud.

  • You need the following to deploy Virtual Service Edge on AWS:

    • A subscription to Virtual Service Edge

    • VM specifications:

      • Instance Memory: 32 GB
      • EBS Storage Volume Type: General Purpose SSD (recommended)
      • Data disk size: 500 GB

      Virtual Service Edge requires an Elastic Network Adapter (ENA)-enabled AWS EC2 instance.

      The recommended AWS EC2 instance specifications are as follows:

       

    Instance SizeMemoryCoresNetwork BandwidthInstance Storage (GB)
    m5.2xlarge32 GB8Up to 10 GbpsEBS-Only
    c5.4xlarge32 GB16Up to 10 GbpsEBS-Only

    If the swap utilization is observed in one of the image types, use the other one.

    • A key pair with a public key and a private key file. AWS stores the public key, and your organization stores the private key file.
    • A virtual private cloud (VPC) for your AWS account
    • A subnet consisting of a range of IP addresses in your VPC
    • Network Specs
      • Two network interfaces
        • The first network interface is the management IP address. It's used to control connections to the Zscaler cloud and make an SSH connection to the Virtual Service Edge VM for configuration and management.
        • The second network interface is the service IP address. It's used to proxy the user traffic.

      • Two Elastic IP addresses: to assign a public IP address with both network interfaces.

        The two elastic IP addresses are not required when using a NAT. A NAT network configuration works correctly as long as it has sufficient network bandwidth.

    • Firewall Requirements: It's mandatory to deploy the Virtual Service Edge instance behind a VM network security group. The Virtual Service Edge instance requires only outbound connections to the Zscaler cloud. It does not require any inbound connections to your network from the Zscaler cloud. To view the firewall requirements for your specific account, go to the following URL: https://config.zscaler.com/<Zscaler Cloud Name>/zia-v-sedge.

      The <Zscaler Cloud Name> can be found in the URL you use to log in to the Admin Portal. For example, if you log in to admin.zscaler.net, then go to https://config.zscaler.com/zscaler.net/zia-v-sedge.

      The IP ranges are necessary to ensure that the service isn't affected by future Zscaler cloud expansion.

    Close
  • 2. Add Virtual Service Edge Instance
  • 3. Download Virtual Service Edge Certificates

  • Follow the next steps to launch a new EC2 instance with a Virtual Service Edge AMI, configure two network interfaces with Elastic IP addresses, and configure the required security group settings.

    1. On the top right corner of the screen, select the region in which you want to launch the instance.

    2. Create a new security group.

      1. Go to the Amazon EC2 console.
      2. In the left-side navigation, go to Network & Security > Security Groups.
      3. Click the Create Security Group button, and configure the following fields:
        • Security Group Name: Enter the name of the security group. Associate this security group with the two Network Interfaces you create in the EC2 Instance Provisioning Wizard.
        • Description: Enter additional notes or information. The required description shouldn’t be longer than 255 characters.
        • VPC: Enter the VPC to which the security group belongs.

      4. In the Inbound rules section, click the Add Rule button, and configure the following connection requirements:

        • Type: Select the type of inbound traffic.
        • Protocol: This field is automatically populated based on the type of inbound traffic selection.
        • Port range: Enter the port range for the inbound rule. To view the port range for your specific account, go to the following URL: https://config.zscaler.com/<Zscaler Cloud Name>/zia-v-sedge. For example, if you log in to admin.zscaler.net, then go to https://config.zscaler.com/zscaler.net/zia-v-sedge.
        • Source: Select the source type for the inbound rule and enter the source IP address.
        • Description - optional: Enter additional notes or information.

      5. In the Outbound rules section, click the Add Rule button, and configure the following connection requirements:

        • Type: Select the type of outbound traffic.
        • Protocol: This field is automatically populated based on the type of outbound traffic selection.
        • Port range: Enter the port range for the outbound rule. To view the port range for your specific account, go to the following URL: https://config.zscaler.com/<Zscaler Cloud Name>/zia-v-sedge. For example, if you log in to admin.zscaler.net, then go to https://config.zscaler.com/zscaler.net/zia-v-sedge.
        • Destination: Select the destination type for the outbound rule and enter the destination IP address.
        • Description - optional: Enter additional notes or information.

      6. Click Create.

    3. Launch and complete two new EC2 Instances.

      1. Go to the Amazon EC2 Console.
      2. Under Create Instance, click the Launch Instance button.
      3. In the left-side navigation, click the My AMIs tab.
      4. In the left-side navigation, under Ownership, check the box Shared with me.

      5. Locate the latest AMI shared with your account, and click the Select button.

        To see the Virtual Service Edge AMI on your AMI tab, you need to provide Zscaler with your AWS Account ID and region, except for China, as the Virtual Service Edge AMI is unavailable in this region. Zscaler privately shares the AMI with you.

      6. Choose the EC2 Instance type recommended in the Admin Portal.

        Zscaler’s EC2 instance type recommendation is based on the expected number of transactions, users, and the most economical option for the customer. If you are unable to select the recommended type, contact Zscaler Support for further guidance.

      7. Click Next: Configure Instance Details.

      8. In the Subnet drop-down menu, select the subnet in which the instance resides.

      9. Under Network Interfaces, click the Add Device button to add an additional network interface. Ensure to select the same subnet.

        By default, the EC2 instance has one Network Interface (eth0), but Virtual Service Edge requires an additional interface (eth1) in the same subnet. The management interface (eth0) is used for control connections to the Zscaler cloud and to make an SSH connection to the Virtual Service Edge for configuration and management. The service interface (eth1) is used for proxy services.

      10. Click Next: Add Storage.

      11. Choose the recommended specifications given in the Admin Portal.

        General Purpose SSD is recommended as the volume type.

      12. Click Next: Add Tags, and add any necessary tags.
      13. Click Next: Configure Security Group.

      14. Click Select an existing security group, and choose the security group you created earlier. Under Source, change 0.0.0.0 to a specific IP address from which you want to enable access.

      15. Click Review and Launch to review your information.
      16. Click Launch, and select a key pair.
      17. Click Launch Instances. The Launch Status page tells you if the launch was successful.

      Ensure to repeat steps i through xvii to launch a second EC2 instance.

    4. Create and associate two Elastic IP addresses.

      1. Go to the Amazon EC2 console.
      2. In the left-side navigation, go to Network & Security > Network Interfaces.

      3. Note down the Network Interface IDs of the network interfaces you created in the previous step. You need one of the IDs when associating an Elastic IP to the Network Interfaces.

      4. Go to Network & Security > Elastic IPs.
      5. Click the Allocate new address button to allocate a new Elastic IP address.

      6. Click Allocate. Repeat the preceding step and this step to have two Elastic IP addresses.

      7. Right-click on one of the Elastic IP addresses, and click Associate Address.

      8. On the Associate Address page:

        • Resource Type: Select the Network Interface option.
        • Network interface: Choose one of the Network Interface IDs you noted earlier.

        You can choose to either fill in the Network interface field or the Private IP field.

      9. Click Associate.

      Repeat steps vii, viii, and ix for the other Elastic IP address.

    Screenshot of Virtual Service Edge Instances on AWS with GWLB

    Close

  • The following Virtual Service Edge configuration steps are run through an SSH terminal connection.

    To configure the Virtual Service Edge on the VM:

    1. Configure the network.

      1. Select the Virtual Service Edge VM and click either Power On or Power On the virtual machine.
      2. On the SSH terminal, enter the following credentials in the FreeBSD command prompt to log in:
        Username: zsroot
        Password: zsroot

      The following guidelines apply:

      • Zscaler strongly recommends that you change this default password. Run the following command:
    passwd
    • Direct root login is not permitted. Administrators must use the sudo utility to run a command with higher privileges.
    1. Run the following command:
    sudo vzen configure-network

    Specify the following details:

    • Address of the DNS server that is used for name resolution of Zscaler cloud domains and also for domain names in the proxy traffic. For example: 10.84.0.100.
    • Hostname of the Virtual Service Edge.

    The Virtual Service Edge management IP, gateway IP for management, and resolvers are obtained from DHCP.

    This command does not allow you to modify the management IP and gateway IP.

    1. Install the SSL certificate of the Virtual Service Edge instance. This is the certificate that you downloaded from the Admin Portal. A Virtual Service Edge uses this certificate to authenticate itself to the Zscaler service. When you configure a Virtual Service Edge, ensure that you upload the correct certificate for the Virtual Service Edge instance.
      To install the SSL certificate of the Virtual Service Edge instance:
      1. Go to the SSL certificate that you saved.
      2. Use SCP or SFTP to upload it to the management IP address of the Virtual Service Edge.
      3. On the SSH terminal, log in with the following credentials:
        Username: zsroot
        Password: zsroot
      4. Use SSH to connect to the management IP address.
      5. Run the following command:
    sudo vzen install-cert <cert-bundle.zip>

    Ensure to specify the absolute path to the SSL certificates (e.g., sudo vzen install-cert /tmp/cert-bundle.zip).

    1. (Optional) if you want to use an SNMP management system to monitor the Virtual Service Edge cluster, enable SNMP for Virtual Service Edge and configure SNMP parameters. Virtual Service Edges support SNMPv3 only.
    2. Run the following command:
    sudo vzen snmp-admin-configure

    Specify the following information:

    1. The user name for the SNMPv3 management system that sends queries to the Virtual Service Edge. The Virtual Service Edge accepts queries only from this user name.
    2. The password that the Virtual Service Edge uses to authenticate the SNMP management system.
    3. An authentication protocol that the Virtual Service Edge uses to authenticate the SNMP user. Enter either MD5 or SHA1.
    4. An encryption method that the Virtual Service Edge uses to authenticate the SNMP user. Enter either DES or AES.
    5. Run the following command:
    sudo vzen snmp-trap-configure

    When asked which traps you want to configure, specify v3 traps.

    Specify the following information:

    1. The IP address of the SNMP trap management system to which the Virtual Service Edge sends traps.
    2. The user name for the SNMP management system.
    3. The password that the Virtual Service Edge uses to authenticate the SNMP management system.
    4. An authentication protocol that the Virtual Service Edge uses to authenticate the SNMP user. Enter either MD5 or SHA1.
    5. An encryption method that the Virtual Service Edge uses to authenticate the SNMP user. Enter either DES or AES.
    6. Download the Virtual Service Edge build and start the Virtual Service Edge.
      1. Use SSH to connect to the management IP address.
      2. Run the following command to download the Virtual Service Edge build:
    sudo vzen download-build

    The initial build is around 1 GB, so it may take a while depending on your internet connection. The downloaded build is automatically installed. The Virtual Service Edge automatically starts after the installation is complete.

    1. Verify the configuration.
    2. Use SSH to connect to the management IP address.
      1. Run the following command:
    sudo vzen status

    The output should display that the Virtual Service Edge service is running.

    1. Run the following command:
    sudo vzen troubleshoot connection | grep 9422

    The output should display an established connection.

    Close

  • To create a target group with the Virtual Service Edge's service IP address:

    1. Go to the Amazon EC2 console.
    2. In the left-side navigation, go to EC2 > Target Groups.
    3. Click the Create target group button.

    4. Choose the IP addresses target type.

    5. Configure the following:

      • Target Group Name: Enter a name for the target group.
      • Protocol: Select GENEVE protocol.
      • Port: Ensure the port is set to 6081.
      • VPC: Select the Virtual Service Edge's VPC.
      • Health check protocol: Select the TCP protocol.

    6. In the Advanced health check settings:

      • Health check port: Choose the Override option, and configure it to any unknown port (e.g., 5000).
      • Healthy threshold: Enter a healthy threshold as per your organization's requirement.
      • Unhealthy threshold: Enter an unhealthy threshold as per your organization's requirement.
      • Timeout: Enter a timeout as per your organization's requirement.
      • Interval: Enter an interval as per your organization's requirement.

    7. Click Next.

    8. Configure the following to register the targets:

      • Network: Select the same network as the Virtual Service Edge's VPC network.

      • IPv4 addresses: Enter the service IP addresses of both the Virtual Service Edges.

        You can add more IP addresses by clicking Add IPv4 address.

      • Ports: Ensure the port is set to 6081.

    9. Click Include as pending below.
    10. Review the targets.
    11. Click Create target group.
    Close

  • To create GWLB in LB:

    1. Go to the Amazon EC2 console.
    2. In the left-side navigation, go to EC2 > Load balancers.
    3. Click Compare and select load balancer type.

    4. Click Create for Gateway Load Balancer.

    5. In the Create Gateway Load Balancer window:

      • Load balancer name: Enter a name for the LB.
      • VPC: Select the Virtual Service Edge's VPC.
      • Mappings: Select the Virtual Service Edge's Zone and Subnet.
      • IP listener routing: Select the target group created in the preceding step.

    6. Review the summary.

    7. Click Create Load Balancer.
    Close

  • To create an endpoint service in VPC:

    1. Go to the Amazon EC2 console.
    2. In the left-side navigation, go to VPC > Endpoint services.
    3. Click Create endpoint service.

    4. In the Create endpoint service window:

      • Name - Optional: Enter a name for the endpoint service.
      • Load balancer type: Select the Gateway type.
      • Available load balancers: Select the GWLB created in the preceding step.

    5. In the Additional Settings section:

      • Require acceptance for endpoint: Select the Acceptance required option.
      • Supported IP address types: Select the IPv4 option.

    6. Click Create.

      The endpoint service is created.

    Close

  • To create an endpoint in VPC:

    1. Go to the Amazon EC2 console.
    2. In the left-side navigation, go to VPC > Endpoints.
    3. Click Create endpoint.

    4. In the Endpoint settings section:

      • Name - optional: Enter a name for the endpoint.
      • Service category: Select Other endpoint services category.

    5. In the Service settings section, enter the service name of the endpoint service created in the preceding step in the Service name field.

    6. Click Verify service.

    7. In the VPC field, select the Virtual Service Edge's VPC.

    8. In the Subnets section:

      • Availability Zone: Select the Virtual Service Edge's zone.
      • Subnet ID: Choose the Virtual Service Edge's subnet ID.

    9. Click Create Endpoint.

      The endpoint is created.

    10. Go to VPC > Endpoint services.
    11. Select the endpoint service created in the preceding step.
    12. Go to the Endpoint connections tab.
    13. Select the endpoint created in step i.

    14. In the Actions drop-down, select Accept endpoint connection request.

    Close

  • To add a service port to both the Virtual Service Edges:

    1. Go to the /sc/sme/conf folder:
    cd /sc/sme/conf
    1. Create a new file called vzen_custom.conf:
    touch vzen_custom.conf

    This step is not necessary if the vzen_custom.conf file is already there.

    1. Edit vzen_custom.conf:
    vi vzen_custom.conf
    1. Enter the following port in the vzen_custom.conf file and save:
    [SME]
        serv_port=<Health check port configured>
        [-end-of-SME-]

    Ensure to enter the correct health check port (e.g., 5000) configured in Step 6.

    1. Restart the Virtual Service Edges:
    sudo vzen restart
    1. Check the health status of the target groups created (EC2 > Target Groups).

    Ensure that the status of the target groups is healthy.

    1. Forward your organization's traffic to GWLB.
    Close

Testing Traffic

To test the traffic:

  1. Add a route to the endpoint.
  2. Create a route table in the same VPC and subnet where you created the EC2 instance (client machine):
    1. Go to the Amazon EC2 console.
    2. In the left-side navigation, go to VPC > Route Tables.
    3. Click Create route table.
    4. In the Create route table window:
      1. Name - optional: Enter a name for the route table.
      2. VPC: Enter the same VPC used to create the EC2 instance.
      3. Click Create route table.
  3. Add a route to the route table:
    1. Click Edit routes.
    2. Click Add route, and do the following:
      1. Destination: Enter the required destination subnet or enter 0.0.0.0/0 to send all traffic.
      2. Target: Enter the Endpoint ID of the Endpoint created in VPC.
    3. Click Save Changes.
  4. Associate the route table to the subnet where we created the EC2 instance:
    1. Go to the Amazon EC2 console.
    2. In the left-side navigation, go to VPC > Subnets.
    3. Select the subnet where we created the EC2 instance.
    4. Click Edit route table association.
    5. In the Route table ID field, enter the route table ID of the route table created in the preceding step.
    6. Click Save.
  5. Send the traffic from the EC2 Instance.
  6. In the Admin Portal, go to Logs > Insights > Web Insights > Logs, and retrieve the logs for the last 15 minutes to verify logs for test traffic are present.

After you have verified your deployment, if you face any issues with Virtual Service Edge, see Troubleshooting Internet & SaaS Virtual Service Edge.

Related Articles
About Internet & SaaS Virtual Service EdgesAbout Internet & SaaS Virtual Service Edge ClustersConfiguring Internet & SaaS Virtual Service Edge ClustersUsing an External Load Balancer for Internet & SaaS Virtual Service Edge ClustersConfiguring Internet & SaaS Virtual Service Edge for Microsoft AzureConfiguring Internet & SaaS Virtual Service Edge for Amazon Web ServicesConfiguring Internet & SaaS Virtual Service Edge for Amazon Web Services with GWLBConfiguring Internet & SaaS Virtual Service Edge for Microsoft Hyper-VConfiguring Internet & SaaS Virtual Service Edge for Google Cloud PlatformAdding Internet & SaaS Virtual Service Edge InstancesAdding Internet & SaaS Virtual Service Edge ClustersDownloading an Internet & SaaS Virtual Service Edge VMDownloading Internet & SaaS Virtual Service Edge CertificatesConfiguring Internet & SaaS Virtual Service Edge and NTP Server SynchronizationInternet & SaaS Virtual Service Edge Configuration Guide for Dual Arm ModeDeploying Kerberos for Internet & SaaS Virtual Service EdgesForwarding Traffic to Internet & SaaS Virtual Service Edges