Experience Center
Deploying Zscaler Cloud Connector on the Google Cloud Platform
This deployment guide provides information on prerequisites, how to deploy Zscaler Cloud Connector as a virtual machine (VM) on the Google Cloud Platform (GCP), and post-deployment configurations.
This procedure describes the steps for deploying Zscaler Cloud Connector using Terraform. To learn more about the resources created when deploying Zscaler Cloud Connector, see Deployment Templates for Zscaler Cloud Connector.
Prerequisites
Make sure the following prerequisites are met.
If you already created a dedicated admin role and role-based administrator for Cloud Connector deployment, you can skip steps 1 and 2.
- 1. Configure a new admin role.
Zscaler recommends that you create a dedicated admin role for Cloud Connector deployment. To configure a new admin role:
- Log in to the Zscaler Admin Portal as a super admin.
- Go to Administration > Admin Management > Role Based Access Control > Branch and Cloud Connector.
- Click Add Admin Role.
- In the Add Admin Role window:
- Name: Enter a unique name for the admin role (e.g., CloudConnector-Deployment-Role).
- Permissions: Ensure that the admin has full access to Location Management and Cloud Connector Provisioning. Set all other permissions to None.
- Click Save and activate the change.
- 2. Configure a new role-based administrator.
After you configure the admin role, create a new role-based administrator dedicated to Cloud Connector deployment. See Adding Users.
Select the admin role you created in the previous step and set the status to Enabled. See Managing Entitlements.
Close - 3. Retrieve the API key.
- 4. (Optional) Add a location template.
You do not need to configure location templates because locations are created automatically when you deploy Cloud Connector to a cloud provider such as GCP. Optionally, you can configure your own location template:
- Log in to the Cloud & Branch Connector Admin Portal.
- Go to Administration > Location Templates. The Add Location Template window opens.
- Click Add Location Template.
- In the Name field: Enter a name for the location template.
- In the Template Prefix field, enter a prefix for the location template. All locations created using this location template contain this prefix.
In the Gateway Options section:
- Enable XFF Forwarding: Enable this setting if you want the Zscaler service to use the X-Forwarded-For (XFF) headers that your on-premises proxy server inserts in outbound HTTP requests.
- Enforce Authentication: Enable this setting to require users from this location to authenticate to the service.
- Enable Caution: Enable this setting to display an end user notification for unauthenticated traffic. If you do not enable this setting, the action is treated as an allow policy.
- Enable AUP: Enable this setting to display an Acceptable Use Policy (AUP) for unauthenticated traffic and require users to accept it. If you enable this setting, the Custom AUP Frequency (Days) field appears. Enter in days how frequently the AUP is displayed to users.
- Enforce Firewall Control: Enable this setting to enable the service's firewall controls. If you enable this setting, the Enable IPS Control setting appears. Select this setting to enable Intrusion Prevention System (IPS) controls for the location template. To enable IPS controls, you must be subscribed to the advanced firewall SKU.
- Enforce Bandwidth Control: Enable this setting to enter the maximum bandwidth limits for Download (Mbps) and Upload (Mbps).
- Click Save and activate the change.
- 5. Configure a cloud provisioning template.
Configure a cloud provisioning template and copy the cloud provisioning URL. To configure a cloud provisioning template:
- Log in to the Admin Portal.
- Go to Infrastructure > Connectors > Cloud > Provisioning.
- Click Add Cloud Connector Provisioning Template.
- On the Cloud Provisioning Template page:
- Name: Enter a name for the cloud provisioning template.
- Description: Enter a description of the cloud provisioning template.
- Cloud Provider: Select GCP.
- Location Creation: This field is set to Automatic.
- Location Template: From the drop-down menu, select the Default Location Template or another template.
- Cloud Connector Group Creation: This field is set to Automatic.
- VM Size: Small is set by default.
- Click Save.
- From the Cloud Provisioning Template page, click the arrow in the Template Name column and copy the cloud provisioning URL. Store the cloud provisioning URL in a secure location.
- 6. Review the firewall requirements.
The Cloud Connector instance requires only outbound connections to the Zscaler cloud. It does not require any inbound connections to your network from the Zscaler cloud. To view the outbound access requirements for your specific account, go to the following URL: https://config.zscaler.com/<Zscaler Cloud Name>/cloud-branch-connector.
You can find the <Zscaler cloud Name> in the URL you use to log in to the Cloud & Branch Connector Admin Portal. For example, if you log in to connector.zscaler.net, then go to https://config.zscaler.com/zscaler.net/cloud-branch-connector.
Close - 7. Create an admin service account used to run Terraform during deployment.
To create the service account:
- Log in to the GCP console.
- From the left-side navigation, select IAM & Admin > Service Accounts.
- Click Create Service Account.
- On the Service account details page:
- Service account name: Enter a unique display name for the service account.
- Service account ID: Enter the service account ID.
- Service account description: (Optional) Enter a description of the service account's purpose.
- Click Create and Continue.
- On the Grant this service account access to project page, from the Select a role drop-down menu, select Compute Instance Admin (v1).
- Click Add Another Role and add the following roles: Compute Network Admin, Compute Security Admin, Service Account Admin, Service Account User, Secret Manager Admin, and optionally, DNS Administrator.
- Click Done to create the service account.
- Select the created service account, then click Keys.
- From the Keys page, click Add Key > Create new key.
- Select JSON as the Key Type, then click Create. The private key automatically downloads to your computer.
- Copy the JSON file to a secure location. Later, you use this file to reference the path to authenticate with Terraform.
- 8. Store your secret credentials.
Use one of the following methods to manage and retrieve your secret credentials.
Close- GCP Secret Manager
To create and store your secret credentials in Secret Manager from the GCP console:
- Log in to the GCP console.
- From the left-side navigation, select Security > Secret Manager.
- Click Create Secret.
- On the Secret details page, enter a unique name for your secret.
- Under Secret value, enter your secret values using the format shown below:
- username: Enter username for the name of your secret key. For the corresponding value, enter your dedicated Cloud Connector deployment username.
- password: Enter password for the name of your secret key. For the corresponding value, enter your dedicated Cloud Connector deployment password.
api_key: Enter api_key for the name of your secret key. For the corresponding value, enter the value you copied from the API Keys page on the Admin Portal.
{ "username": "cc-deploy-user@company.com", "password": "cc-deploy-user-password", "api-key": "ZscalerCompanyAPIKey" }
- Under Encryption key, select Google-managed encryption key.
- Click Create secret.
- Copy the secret manager path to a secure location.
- Hashicorp Vault
For information about creating and storing your secrets in Hashicorp Vault, see Storing Your Secret Credentials in Hashicorp Vault for Google Cloud Platform-Based Cloud Connectors.
Close
- GCP Secret Manager
- 9. Create a service account for each VM to use after deployment.
Each VM needs a service account assigned to it. You can let Terraform create the service account during deployment, or manually create the service account before deployment. To manually create the service account, perform the following procedure:
- Log in to the GCP Console.
- From the left-side navigation, select IAM & Admin > Service Accounts.
- Click Create Service Account.
- In the Service account details section:
- Service account name: Enter a unique display name for the service account. GCP generates a Service account ID based on this name.
Service account ID: If necessary, change the ID.
You cannot change the ID after the service account is created.
Service account description: (Optional) Enter a description of the service account's purpose.
- Click Create and Continue.
- On the Grant this service account access to project page, do one of the following, depending on the method you use to store and manage your secret credentials:
- GCP Secret Manager: From Role drop-down menu, select Secret Manager Secret Accessor.
- HashiCorp Vault: From Role drop-down menu, select Service Account Token Creator.
- Click Done to create the service account.
Deploying the Cloud Connector
After you have met all the prerequisites, deploy the Cloud Connector using Terraform and then modify your route table and associated subnet to send workload traffic to the Cloud Connector.
- 1. Deploy the Cloud Connector using Terraform.
- Go to the GCP on GitHub repository.
- On GitHub, click Code > Download ZIP to download the Terraform ZIP file.
- Log in to the GCP console.
- In the upper-right corner, click the Activate Cloud Shell icon
- In the upper-right corner of the Cloud Shell Terminal, click the three dots and click Upload to upload the ZIP file downloaded from GitHub.
- Click Upload again to upload the JSON file you secured when you created the admin service account.
- Unzip the Terraform ZIP file by running the following command:
unzip terraform-gcp-cloud-connector-modules-main.zip
- Identify the full path of the Terraform folder and JSON file.
- Navigate to the examples directory by entering
cd terraform-gcp-cloud-connector-modules-main/examples
. - Enter
./zsec up
to initiate the deployment wizard. The deployment wizard automatically downloads, installs, and initializes the Terraform JSON file.
- 2. Route workload traffic to the Cloud Connector.
After you complete deployment, modify your route table and the associated subnet to ensure that traffic is sent from the private workload subnet to Cloud Connector. By default, traffic is going out of the workload subnet.
To send traffic to your deployed Cloud Connector:
- Log in to the GCP console.
- From the left-side navigation, select Compute Engine > VM Instances.
- Select your newly created Cloud Connector workload instance, then click Edit.
- Copy the name of the Cloud Connector workload instance (e.g., zscc-workload-host-0yv34zh8).
- Paste the Cloud Connector workload instance under Network Tags.
- Click Save.
- From the left-side navigation, select VPC Network > Routes.
- On the Routes page, navigate to Route Management.
- Click Create Route.
- On the Create a Route page:
- Name: Enter a name for your route table.
- Network: Select the VPC where the workload is located (e.g., zscc-service-vpc-0yv34zh8).
- Route type: From the drop-down menu, select Static route.
- IP version: From the drop-down menu, select IPv4.
- Destination IPv4 range: Enter
0.0.0.0/0
. - Priority: Set the priority as an integer from
0
to65535
. - Next hop: From the drop-down menu, select Specify a forwarding rule of internal TCP/UDP load balancer.
- Forwarding rule project: From the drop-down menu, select the project in which the forwarding rule is located.
- Forwarding rule name: From the drop-down menu, select the rule to forward traffic to the Cloud Connector.
- Click Equivalent Command Line to open the gcloud command line.
- Click Run in Cloud Shell.
- Attach the network tag to the string of the Cloud Shell.
- Press
Enter
to run the command in Cloud Shell. For example:
Created [https://www.googleapis.com/compute/beta/projects/cc-poc-host-project-01/global/routes/route-from-workload-to-ilb-to-zscaler-cloud-connector]. NAME: route-from-workload-to-ilb-to-zscaler-cloud-connector NETWORK: zscc-service-vpc-0yv34zh8 DEST_RANGE: 0.0.0.0/0 NEXT_HOP: 10.1.1.2 PRIORITY: 1000
- Go to VPC Network > Routes > Route Management to view your newly created route table.
Managing the Cloud Connector
You can manage the Cloud Connector from the Cloud & Branch Connector Admin Portal. A deployed Cloud Connector is displayed on the dashboard. The Cloud & Branch Connector Monitoring page provides information on the name, group, location, geolocation (shown below), and status of the Cloud Connector VM instances deployed in your cloud account.
After verifying deployment, you can configure the following policies: