icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring Virtual Service Edge for Google Cloud Platform

Zscaler supports standalone Virtual Service Edge for production deployments on the Google Cloud Platform (GCP).

Requirements

Ensure that you meet all of the following requirements:

  • Virtual Service Edges only require outbound connections to the Zscaler cloud. Configure your firewall to allow the necessary outbound connections. To view the firewall requirements, log in to the ZIA Admin Portal, and go to Help > Cloud Configuration Requirements > ZIA Virtual Service Edge.

  • Verify that your license is appropriate to your needs. Go to Administration > Company Profile > Subscriptions, and look for the Virtual Service Edges, noting the server count.
  • Virtual Machine specs for a Virtual Service Edge:
    • CPUs: 4 CPU cores
    • Recommended Instances Type: n2-highmem-4
    • RAM: 32 GB for production
    • Disk: 500 GB. Zscaler recommends using SSDs
    • Network Interfaces: 3 interfaces (NIC0 for Virtual Service Edge, NIC1 for Management, and (Optional) NIC2 for the Dual Arm Interface).
    • The required IP addresses are listed in
      IP AddressPurposeRequirements
      Management IP AddressThis is used to make an SSH connection to the Virtual Service Edge VM for management. It is also used to download Virtual Service Edge builds from the Zscaler cloud.Accessible via SSH by the Virtual Service Edge administrator during install, and requires outbound access to the internet. This is configured in the Virtual Service Edge CLI.
      Proxy IP Address

      This is used for the following purposes:

      • Outbound data connection (proxied traffic)
      • Outbound control connection to the Zscaler cloud
      • Health monitoring by the load balancer
      • In a Virtual Service Edge standalone, it is used to listen for user traffic
      This is used when creating a Virtual Service Edge instance in the ZIA Admin Portal.
      Close

Configuring a Virtual Service Edge

If you are configuring a Virtual Service Edge, you must download its respective SSL certificate from the ZIA Admin Portal. The SSL certificate is unique to the Virtual Service Edge.

To configure a Virtual Service Edge:

  • You can deploy the image on GCP using one of the following methods:

    • To deploy the image on the GCP console:

      1. On the GCP console, go to Compute Engine > Images.

      2. Choose the Zscaler OS24 Virtual Service Edge image (e.g., zscaleros24-vse-rev10) and click Create Instance from the Actions menu.

        Contact Zscaler Support for the Virtual Service Edge image on GCP.

      3. On the Create Instance page, define the following parameters:

        • Name: Enter the name of the instance.
        • Region: Select a region for the instance.
        • Series: Select N2.
        • Machine Type: Select n2-highmem-4.

      4. Go to Advanced options > Networking.
      5. Select the Enable checkbox for IP forwarding.
      6. Select VirtIO for Network interface card.
      7. Configure the service interface (NIC0):

        1. Select an appropriate network from the Network field.

          The Subnetwork field is automatically populated based on the selected network.

        2. Click Done.

      8. Configure management interface (NIC1):

        1. Click Add Network Interface.
        2. Select an appropriate network from the Network field.

          The Subnetwork field is automatically populated based on the selected network.

        3. Click Done.

        The zgcpservice_enable service in the rc.conf system configuration file is set to YES by default, which adds the following configurations for the management interface automatically:

        • ifconfig_vtne1
        • defaultrouter
        • static_routes
        • route_sbnet1
        • route_gateway1
      9. (Optional) Configure dual arm interface (NIC2):
        1. Click Add Network Interface.
        2. Select an appropriate network from the Network field.

          The Subnetwork field is automatically populated based on the selected network.

        3. Click Done.
        4. Click Create.
      Close
    • To deploy the image using the gcloud CLI:

      1. Go to gcloud CLI. To learn more, see Install the gcloud CLI.
      2. Run the following command:

        gcloud compute instances create <INSTANCE_NAME> \
        [--image=<IMAGE> | --image-family=<IMAGE_FAMILY>] \
        --image-project=zia-gcp
        --machine-type=n2-highmem-4
        --zone [ZONE]
        [--network-interface [network=<NETWORK>,subnet=<SUBNET>],[stack-type=<STACK_TYPE>],[address=<RESERVED_EXTERNAL_ADDRESS> | no-address], [private-network-ip=<INTERNAL_ADDRESS>] ...]

        Replace all text in red with the appropriate values.

        Contact Zscaler Support for the Virtual Service Edge image name. If you specify the image-family in this command, a VM instance is created using the latest version of the OS image.

        • gcloud compute instances create mygcpvse \
          [--image=zscaleros24-vse-rev10] \ 
          --image-project=zia-gcp
          --machine-type=n2-highmem-4
          --zone=us-west2-a
          [--network-interface [network=proxy-vpc,subnet=service-subnet] --network-interface [network=management-vpc,subnet=management-subnet]] 
          Close

        To learn more about deploying the image on the GCP using gcloud CLI, see Create and start a VM instance and Create VMs with multiple network interfaces.

      Close

    The newly created VM instance is available on the Compute Engine > VM Instances page of the GCP console.

    Close
  • 2. Add the Virtual Service Edge Instance
  • 3. Download the Virtual Service Edge Certificate
  • You must configure the Virtual Service Edge instance as a VM on the GCP console.

    Zscaler recommends using different servers for each instance to achieve fault tolerance.

    To configure the Virtual Service Edge on the GCP console:

    1. Go to Compute Engine > VM instances.
    2. Select the Virtual Service Edge VM and click either the Power On button or Power On the virtual machine.
    3. Click the Virtual Service Edge VM.

    4. Click Connect to Serial Console, and log in at the FreeBSD command prompt with the following credentials:

      • Username: zsroot
      • Password: zsroot

      The following guidelines apply:

      • Zscaler strongly recommends that you change this default password by running the passwd command.
      • Direct root login is not permitted. Administrators must use the sudo utility to run a command with higher privileges.

    5. Install the SSL certificate of the Virtual Service Edge instance. This is the certificate you downloaded from the ZIA Admin Portal. A Virtual Service Edge uses this certificate to authenticate itself to the Zscaler service.

      To install the SSL certificate of the Virtual Service Edge instance:

      1. Navigate to the SSL certificate that you saved.
      2. Use SCP or SFTP to upload it to the management IP address of the Virtual Service Edge.
      3. Go to the Connect to Serial Console or use SSH to connect to the management IP address.
      4. Run the following command:

        sudo vzen install-cert <cert-bundle.zip>

        Ensure to specify the absolute path to the SSL certificates (e.g., sudo vzen install-cert /tmp/cert-bundle.zip).

    6. Download the Virtual Service Edge build and start the Virtual Service Edge.
      1. On the GCP console, click the Connect to Serial Console or use SSH to connect to the management IP address.
      2. Run the following command to download the Virtual Service Edge build:

        sudo vzen download-build

        The initial build is around 1 GB, so it may take a while depending on your internet connection. The downloaded build is automatically installed. The Virtual Service Edge automatically starts after the installation is complete.

    7. After the build is deployed, run the following command to check the service status of the Virtual Service Edge:

      sudo vzen status

      Ensure both the SME and smcdsc are running.

    8. Run the following commands to check the connectivity with the Zscaler production nodes:
      • sudo ZSINSTANCE=/sc/sme/ /sc/sme/bin/smmgr -ys show=auth

        Ensure that the authentication state is SMAUTHENG_READY_STATE.

      • sockstat | grep -i smcdsc

        Ensure that there are two connections over 9442.

      • sudo vzen troubleshoot connection

        Ensure that cloud-config and log-stream sessions are present.

    9. (Optional) if you want to use an SNMP management system to monitor the Virtual Service Edge, enable SNMP for Virtual Service Edge and configure SNMP parameters. Virtual Service Edges support SNMPv3 only.
      1. Run the following command:

        sudo vzen snmp-admin-configure
      2. Enter a user name for the SNMPv3 management system that sends queries to the Virtual Service Edge. The Virtual Service Edge accepts queries from this user name only.
      3. Enter a password that the Virtual Service Edge uses to authenticate the SNMP management system.
      4. Specify which authentication protocol the Virtual Service Edge can use to authenticate the SNMP user. Enter either MD5 or SHA1.
      5. Specify the encryption method the Virtual Service Edge can use to authenticate the SNMP user. Enter either DES or AES.
      6. Run the following command:

        sudo vzen snmp-trap-configure
      7. When asked which traps you want to configure, enter v3 traps.
      8. Enter the IP address of the SNMP trap management system to which the Virtual Service Edge sends traps.
      9. Enter a user name for the SNMP management system.
      10. Enter a password that the Virtual Service Edge uses to authenticate the SNMP management system.
      11. Specify which authentication protocol the Virtual Service Edge can use to authenticate the SNMP user. Enter either MD5 or SHA1.
      12. Specify the encryption method the Virtual Service Edge can use to authenticate the SNMP user. Enter either DES or AES.
    Close
  • To deploy GCP ILB:

    1. Create and deploy a pair of Virtual Service Edges with NICs, as previously explained in the deploying the image on GCP step.
    2. Create a health check to do a TCP port check for port 443 or port 80.
    3. Create an unmanaged instance group and add these VM instances.
    4. Create the ILB and configure the front end for all ports and the backend as the instance group.
    5. Log in to the VMs.
    6. Enter the following command:

      cd /sc/sme/conf
    7. Create a new file called vzen_custom.conf.
    8. Add the following lines:

      [SME]
      smnet_dev=vtnet0=nm0:<internal nic ip>/32:<ILB service ip>/32
      smnet_route=<Internal nw gw ip>/32/nm0/<Internal n/w gateway MAC>
      smnet_route=35.191.0.0/16/<gw ip of internal n/w> [For health check probes]
      smnet_route=130.211.0.0/22/<gw ip of internal n/w>
      smnet_route=10.x.x.x/24/<gw ip of internal n/w>
      smnet_dev=vtnet2=nm1:<ip/mask> Second  interface pvt ip for internet access
      smnet_dflt_gw=<gw ip> Gateway ip for internet access
      [-end-of-SME]
      
    9. (Optional) Add the GCP ILB configuration using the CLI.
      1. On the GCP console, click the Connect to Serial Console or use SSH to connect to the management IP address.
      2. Run the following command:

        vzen gcp-ilb-setup
      3. Enter y to continue configuring GCP ILB.

        You are prompted to add the gateway MAC address.

      4. Enter y to add the gateway MAC address.
      5. Enter the gateway MAC address (e.g., 00:5e:00:53:af).
      6. Enter the ILB Virtual IP (VIP).

        You are prompted to enter the static routes or continue to configure GCP ILB.

      7. (Optional) If you want to configure the static routes (e.g., 10.1.1.0/24/10.1.1.1), enter them in the following format:

        <N/W ip range>/<Mask>/<Gateway ip of internal n/w>
      8. Enter q to complete the GCP ILB configuration.

        You can remove the GCP ILB configuration using the vzen gcp-ilb-clear command.

    10. Run the following command to stagger the upgrades on the Virtual Service Edges:

      vzen delay-upgrade HH:MM

      This avoids parallel upgrade outages as all nodes of GCP Virtual Service Edges are standalone.

    11. Run the following command to restart the services on the Virtual Service Edge:

      sudo vzen restart
    Close

After you configure a Virtual Service Edge, you can then forward your internet traffic to it using one of the mechanisms described in Forwarding Traffic to Virtual Service Edges.

Testing and Logging Traffic

To test and log the traffic:

  1. On the GCP console, go to VPC network > Firewall.
  2. Edit the firewall rule for NIC0 to allow the following ports/IP addresses:
    • Egress: Select Allow All.
    • Ingress: Allow the following ports for Zscaler configuration:

      • 9443
      • 443
      • 80
      • 9480
      • 9400

      Ensure to allow ports specifically required by your organization.

  3. Configure the browser proxy as NIC0:9443.
  4. In the ZIA Admin Portal, configure a URL Filtering rule and a Firewall Filtering policy rule to block/allow traffic.

    For example, configure a URL Filtering rule to block URLs belonging to the Social Networking category and a Firewall Filtering policy rule to block the San Jose location.

  5. Make a request to any domain and verify that the traffic is redirected to the ZIA Admin Portal.
  6. Go to Analytics > Web Insights > Logs, and retrieve the logs for the last 15 minutes to verify logs for test traffic are present.

    For example, logs blocking traffic destined for www.facebook.com belonging to the Social Networking category and traffic destined for www.domainsanjose.com, a San Jose-based domain, are present.

Related Articles
About Virtual Service EdgesAbout Virtual Service Edge ClustersConfiguring Virtual Service Edge ClustersUsing an External Load Balancer for Virtual Service Edge ClustersConfiguring Virtual Service Edge for Microsoft AzureConfiguring Virtual Service Edge for Amazon Web ServicesConfiguring Virtual Service Edge for Amazon Web Services with GWLBConfiguring Virtual Service Edge for Microsoft Hyper-VConfiguring Virtual Service Edge for Google Cloud PlatformAdding Virtual Service Edge InstancesAdding Virtual Service Edge ClustersDownloading a Virtual Service Edge VMDownloading Virtual Service Edge CertificatesConfiguring Virtual Service Edge and NTP Server SynchronizationVirtual Service Edge Configuration Guide for Dual Arm ModeDeploying Kerberos for Virtual Service EdgesForwarding Traffic to Virtual Service Edges