Posture Control (ZPC)
Integrating Vulnerability Management for Microsoft Azure Workloads
Zscaler Posture Control (ZPC) enables you to integrate vulnerability management for your Microsoft Azure cloud accounts. The integration allows ZPC to scan the Linux and Windows workloads for known security vulnerabilities and display the scan results in the ZPC Admin Portal, so you can investigate and remediate the vulnerabilities.
- ZPC provides support for scanning images created in Azure Compute Gallery and Azure Marketplace.
- ZPC does not support the vulnerability scanning of Azure Cloud workloads created from unmanaged OS disks (.vhd).
Supported Regions
ZPC supports the vulnerability scanning of Azure cloud workloads located in the following regions:
- List of Supported Regions
- Australia Central
- Australia East
- Australia Southeast
- Brazil South
- Canada East
- Canada Central
- Central India
- Central US
- East Asia
- East US
- East US 2
- France Central
- Germany West Central
- Japan East
- Japan West
- Korea South
- Korea Central
- North Europe
- Norway East
- Qatar Central
- South Africa North
- Southeast Asia
- South Central US
- South India
- Sweden Central
- Switzerland North
- UAE North
- UK South
- UK West
- West Europe
- West US 2
- West US 3
- North Central US
- West Central US
- West US
Prerequisites
You must first onboard your Microsoft Azure cloud accounts before configuring the accounts for vulnerability scanning. To learn more, see Onboarding a Microsoft Azure Account.
Snapshots created for vulnerability scanning are deleted by ZPC to avoid additional costs. However, if the Azure locks are enabled at the resource group or subscription level, ZPC cannot delete the snapshots created for the scan, and this results in additional costs.
Contact ZPC Support to address the resource group lock issue. ZPC requires the Microsoft.Resources/subscriptions/resourcegroups/write permission to create the zpc-vulnerability-scan resource group without Azure locks and manage snapshots in the same resource group. You need to onboard a new Azure subscription or re-onboard an existing subscription on ZPC. To learn more, see Onboarding a Microsoft Azure Account.
Integrating Vulnerability Management for Azure Workloads
To integrate the vulnerability management for Azure workloads:
- Go to Administration > Container Registries & Workloads.
- Click Add Integration.
- Under General Information:
- For Vulnerability Scanning Type, select Cloud Workloads.
- For Cloud Type, select Azure.
- Click Next.
- Under Account Selection:
- Accounts: Select the individual accounts that must be configured for scanning.
- Organizations: Select the accounts within a specific organization that must be configured for scanning.
- Click Finish.
A message is displayed indicating that the vulnerability management integration is successful. You can set up the vulnerability scanning rule and schedule the scan to run at regular intervals. To learn more, see Adding a Vulnerability Scanning Rule for Cloud Workloads.