Experience Center
Deploying Zscaler Cloud Connector with Microsoft Azure
The Azure Routing Intent and Routing Policies feature for secured virtual Wide Area Network (WAN) hubs is incompatible with Cloud Connector.
This deployment guide provides information on prerequisites, how to deploy Zscaler Cloud Connector as a virtual machine (VM) in Microsoft Azure, and post-deployment configurations.
This procedure describes two methods for deploying Cloud Connector.
Zscaler Cloud Connector Application in the Azure Marketplace: The Azure Marketplace Application method is available for static deployment of Cloud Connector.
The Zscaler Cloud Connector Application in the Azure Marketplace is available in all regions except China. If you are deploying Cloud Connector from the China region, you must use Terraform.
Terraform: The Terraform method provides support for a richer set of functions, including the option to deploy using Virtual Machine Scale Sets (VMSS). To learn more about the resources created when deploying Cloud Connector using a Terraform script, see Deployment Templates for Zscaler Cloud Connector.
VMSS is the name of the feature in the Azure Marketplace and the Terraform templates. Auto Scaling is the name of the same feature in the Cloud Provisioning template.
Prerequisites
Make sure the following prerequisites are met.
The role that you assign admins dictates the level of access they have to the Admin Portal. Zscaler provides a default admin account that provides full access to the Admin Portal and scope over the entire organization. Admins must have full access to API Key Management, Location Management, and Cloud Connector Provisioning permissions. To learn more, see About Role Management and Adding Admin Roles.
- Ensure that you have the following roles assigned to your Azure subscription: User Access Administrator, Contributor, and Key Vault Administrator.
- From the API Keys page, retrieve and copy the API key. Cloud Connector uses the API key to authenticate and register the VM with Zscaler.
- Add a Location Template. Locations identify the various networks from which your organization sends its traffic.
- Add a Cloud Provisioning Template and copy the Cloud Provisioning URL.
Firewall requirements: The Cloud Connector instance requires only outbound connections to the Zscaler cloud. It does not require any inbound connections to your network from the Zscaler cloud. To view the outbound access requirements for your specific account, go to the following URL: https://config.zscaler.com/<Zscaler Cloud Name>/cloud-branch-connector.
You can find the <Zscaler Cloud Name> in the URL you use to log in to the Admin Portal. For example, if you log in to connector.zscaler.net, then go to https://config.zscaler.com/zscaler.net/cloud-branch-connector.
- Create user-assigned managed identities.
User-assigned managed identities are required for deploying Cloud Connector. Ensure that Cloud Connector is not assigned an Azure System Managed Identity because that identity overrides the deployment requirements.
There are two user-assigned managed identities:
- Cloud Connector: Managed identity associated with Cloud Connectors to perform Azure operations such as network interface discovery and metric publishing.
- Function App (VMSS only): Managed identity associated with an Azure Function app. Azure Functions make API calls to perform operations such as instance termination, instance replacement, and metric reading.
Deployments without VMSS require only the Cloud Connector managed identity and the Network Contributor role.
Deployments with VMSS require both managed identities and the following roles:
- Cloud Connector
- Network Contributor
- Monitoring Metrics Publisher (VMSS only)
- Function App (VMSS only)
- Network Contributor
- Virtual Machine Contributor
- Monitoring Contributor
- Managed Identity Operator
- Storage Blob Data Reader
To create managed identities and assign roles:
- Log in to the Azure Portal.
- Under Services, search for
Managed Identities
. - Click Create.
The Create User Assigned Managed Identity page appears. - On the Basics tab:
- Subscription: Select the subscription with user access administrator permission to manage deployed resources.
- Resource group: Click Create new and enter a name for the resource group. A resource group is a collection of resources that share the same lifecycle, permissions, and policies.
- Region: Select the desired region for your deployment.
- Name: Enter a name for your user-assigned managed identity.
- Click Next: Tags >.
- On the Tags tab, configure tags to categorize resources, then click Next: Review + create >.
- On the Review + create tab, review your managed identity configuration, and then click Create.
- After your managed identity has been created, go to Managed Identities and select your managed identity.
- From the left-side navigation, click Azure role assignments, then click Add role assignment (Preview).
- In the Add role assignment (Preview) window:
- Scope: From the drop-down menu, select Subscription.
- Subscription: From the drop-down menu, select your subscription.
- Role: From the drop-down menu, select the role or roles specified above, one at a time.
- Click Save.
- (Scale Set deployments only) Repeat this procedure for the second managed identity.
- Create an Azure key vault.
Create an Azure key vault to securely store and access your secrets:
- Log in to the Azure Portal.
- Go to Key vaults, then click Create.
The Create a key vault page appears. - On the Basics tab:
- Subscription: Select the subscription with user access administrator permission to manage deployed resources.
- Resource group: Select the resource group in which you want to create the key vault.
- Key vault name: Enter a name for your key vault.
- Region: Select the desired region for your deployment.
- Pricing tier: Select either Standard or Premium (includes support for HSM backed keys).
- Soft-delete: This setting is automatically enabled on this key vault. Soft-delete allows you to recover or permanently delete a key vault and secrets.
- Days to retain deleted vaults: Enter the desired period for retaining deleted vaults.
- Purge protection: Select either Disable purge protection (allow key vault and objects to be purged during retention period) or Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects).
- Click Next.
- On the Access policy tab:
- Access configuration: Select Vault access policy as the permission model.
- Resource access: Select Azure Resource Manager for template deployment.
- Under Access policies, click Create.
- In the Create an access policy window:
- Secret permissions: On the Permissions tab, under Secret permissions, select Get and List, then click Next.
- Principal: On the Principal tab, select your recently created managed identity, then click Next.
- Click Create.
- Click Next.
- On the Networking tab:
- Connectivity Configuration: Select Public Access to connect to the key vault publicly.
- Allow access from: Select All networks.
- Click Next.
- On the Tags tab, configure tags to categorize resources, then click Next.
- On the Review + Create tab, review the summary of your configurations and click Create.
- Create secrets to add to your Azure key vault.
Create secrets to store in your key vault:
- Log in to the Azure Portal.
- Go to Key vaults, then select your newly created key vault.
- In the left-side navigation, click Secrets, then click Generate/Import.
The Create a secret page appears. - Add the following secrets:
- api-key: For the name of your secret, enter
api-key
. For the corresponding value, enter the value from the API Keys page on the Admin Portal. - password: For the name of your secret, enter
password
. For the corresponding value, enter your Admin Portal password. - username: For the name of your secret, enter
username
. For the corresponding value, enter your Admin Portal username.
- Click Create.
- Create an SSH key pair.
- Log in to the Azure Portal.
- Go to SSH keys, then click Create.
The Create an SSH key page appears. - On the Basics tab:
- Subscription: From the drop-down menu, select the subscription with user access administrator permission to manage deployed resources.
- Resource Group: Select the resource group in which you want to create the SSH key pair or click Create new to create a new resource group.
- Region: From the drop-down menu, select the desired region in which to deploy the newly created resource group. If you do not select a region, the SSH key region will be in the same region as the existing resource group selected above.
- Key pair name: Enter a name for your key pair.
SSH public key source: From the drop-down menu, select Generate new key pair.
- Click Next: Tags >.
- On the Tags tab, configure tags to categorize resources, then click Next: Review + create >.
- On the Review + create tab, review your SSH key configurations, and then click Create.
Deploying the Cloud Connector
If you want to configure your own virtual network and subnets, you must do so before launching the Zscaler Cloud Connector Application. When you deploy Cloud Connector in the Azure Marketplace, accelerated networking is enabled by default. To learn more about accelerated networking, refer to the Azure documentation.
After you have met all the prerequisites, perform the following procedures to deploy your Cloud Connector:
- 1. Deploy the Zscaler Cloud Connector Application.
Use one of the following methods to deploy your Cloud Connector:
Close- Zscaler Cloud Connector Application in the Azure Marketplace
To deploy your Cloud Connector using Azure Marketplace:
- Log in to the Azure Portal.
- Under Marketplace, search for
Zscaler Cloud Connector Application
. - Click Create and then select Zscaler Cloud Connector Application.
The Zscaler Cloud Connector Application page appears. - On the Basics tab:
- Subscription: Select the subscription with user access administrator permission to manage deployed resources.
- Resource group: Click Create new to create a new resource group or select an existing resource group to deploy the Zscaler Cloud Connector Application.
Region: Select the desired region for your deployment.
- Click Next.
- On the Zscaler Settings tab:
- Provisioning Template URL: Paste your Cloud Connector provisioning template URL.
- Cloud Connectors Instance Type: The Cloud Connector instance type is set to Small by default.
- Zscaler Cloud Connector VM Size for small CC Instance Types: The VM size is set automatically to 1x Standard D2s v3. To change the VM size, click Change size.
- Enable Encryption At Host: Select the checkbox to enable end-to-end encryption using encryption at host. The subscription's account admin must enable this feature. To learn more about host encryption, refer to the Azure product documentation.
- Zscaler Cloud Connector VM Public Key Source: Select Azure Key Pair to select an existing SSH key pair or SSH Public Key to paste your SSH key directly.
- Zscaler Cloud Connector VM SSH Keys: From the drop-down menu, select your SSH key.
- Zscaler Cloud Connector Key Vault Source: Select the source that your key vault belongs to.
- Zscaler Cloud Credentials Key Vault: Select the key vault where your Zscaler cloud credentials are stored.
- User assigned managed identity: Click Add to add the user-managed identity with access to the key vault and network contributor role. You must select a user-assigned managed identity before you can move to the next step.
- See image.
- Click Next.
- On the Load Balancer Settings tab:
- Opt out from configuring a Load Balancer: Select this setting to opt out from configuring a load balancer. Only select this setting when deploying in a non-production environment.
- Choose an existing load balancer: Select this setting to choose a load balancer that is already operating in this environment.
- Number of Cloud Connectors: Select the number of Cloud Connectors.
- HTTP Probe Port for Load Balancer: Enter the HTTP Probe Port
80
or1024
to65535
. If selecting an existing load balancer, ensure that the ports match. Availability Sets and Availability Zones: Select either Availability Sets or Availability Zones.
- Click Next.
- On the Network Settings tab:
Availability Zones: Select up to three availability zones. This option is only displayed if you selected Availability Zones on the Load Balancer Settings tab.
- Virtual Network: The virtual network in the resource group into which the Cloud Connector is deployed. By default, a new virtual network is automatically created. Alternatively, you can select another virtual network from the drop-down menu.
zsccSubnet1: The subnet in the resource group and virtual network into which the Cloud Connector is deployed. By default, a new subnet is automatically created. Alternatively, you can select another subnet from the drop-down menu. The subnet options that appear in the drop-down menu depend on the number of availability zones you select. There can be one subnet per availability zone.
- On the Tags tab, configure tags to categorize resources, then click Next.
- On the Review + Create tab, review the summary of your configurations, then click Create.
- Terraform (Required for VMSS and deployment in China)
Cloud Connector with VMSS deployment requires using the Terraform Deployment Template with Virtual Machine Scale Sets (VMSS) and a new Cloud Provisioning Template with Auto Scaling set to Enabled. To enable Auto Scaling, contact Zscaler Support.
To deploy your Cloud Connector using Terraform:
- Go to the Azure on GitHub repository.
- On GitHub, click Code > Download Zip to download the Terraform zip file.
- Log in to the Azure Portal.
- In the upper-right corner, click the Cloud Shell icon.
- Select Manage Files > Upload to upload the ZIP file you downloaded from GitHub.
- Click Upload again to upload the service account JSON file created.
Unzip the Terraform ZIP file by running the following command:
unzip terraform-azure-cloud-connector-modules-main.zip
- Identify the full path of the Terraform folder and JSON file.
- Navigate to the examples directory by entering
cd terraform-azure-cloud-connector-modules-main/examples
. - Enter
./zsec up
to initate the deployment wizard. The deployment wizard automatically downloads, installs, and initiates the Terraform JSON file.
- Zscaler Cloud Connector Application in the Azure Marketplace
- 2. Send traffic to your load balancer.
After you complete your deployment from the Azure Portal, you must create a routing table and a workload subnet to redirect traffic to your load balancer.
To send traffic to your load balancer:
- Log in to the Azure Portal.
- Go to Virtual networks, then select the virtual network into which your Cloud Connector is deployed.
- In the left-side navigation, click Subnets, then click + Subnet.
- In the Add subnet window that appears, add a Name and a Subnet address range for the workload subnet.
- Click Save.
- Go to Route tables.
- Click Create.
The Create Route table page appears. - On the Basics tab:
- Subscription: Select the subscription with user access administrator permission to manage deployed resources.
- Resource Group: Select the resource group in which you want to create the workload route table.
- Region: From the drop-down menu, select the desired region for your deployment.
- Name: Enter a name for your workload route table.
- Propagate gateway routes: Select Yes to propagate gateway routes, or No to prevent the propagation of routes to the network interfaces in associated subnets.
- Click Next: Tags >.
- On the Tags tab, configure tags to categorize resources, then click Next: Review + create >.
- On the Review + create tab, review the summary of your configurations, and then click Create.
- Select your newly created workload route table and click Routes.
- Click Add.
- On the Add route page, enter the following information:
- Route name: Enter a name for the workload route.
- Address prefix destination: From the drop-down menu, select IP Addresses.
- Destination IP addresses/CIDR ranges: Enter 0.0.0.0/0.
- Next hop type: From the drop-down menu, select Virtual appliance.
- Next hop address: Enter the front-end IP address of your load balancer. To find the IP address, locate your deployed load balancer and select Frontend IP configuration.
- Click OK.
- Click Subnets, then click Associate.
- In the Associate subnet window, from the drop-down menu, select your Virtual network and workload Subnet.
- Click OK.
- 3. Disable disk network access.
Zscaler recommends manually disabling network access to the managed disks attached to your deployed Cloud Connector.
To disable network access:
- Log in to the Azure Portal.
- Go to Resource groups, then locate the Cloud Connector resource group and click the deployed Cloud Connector.
- In the left-side navigation, click Disks. Under OS Disk, select the Disk name.
- In the left-side navigation, click Networking.
- Under Network access, select Disable public and private access.
- Click Save.
Managing the Cloud Connector
After your VM is fully deployed, you can manage the Cloud Connector from the Admin Portal. A deployed Cloud Connector is displayed on the dashboard. The Cloud & Branch Connector Monitoring page provides information on the name, group, location, geolocation (shown below), and status of your Cloud Connector VMs deployed in your cloud account.
After verifying deployment, you can configure the following policies:
If you are deploying Cloud Connector in China, Zscaler recommends creating a custom gateway with Zscaler China data centers and traffic forwarding policies referencing your China location and custom gateway. To learn more, see China Premium Internet Access.