09/24/2024 | News release | Distributed by Public on 09/24/2024 13:41
Cloud Connectors are typically deployed as part of a security stack on a regional zone basis. Workload route tables are then updated to forward traffic that will be sent to ZIA and/or ZPA to the stack for that region. The security stack, by default is deployed into a single Resource Group, to facilitate ease of resource management.
The security stack if made up of;
This new capability also adds the following components;
Refer to figure1 below.
Figure1: Azure VM Scale Sets with Zscaler Cloud Connector Topology
The entire security stack, including the configuration, depicted in figure 1, is designed to be deployed programmatically via terraform.
Both brownfield and greenfield environments are supported. These terraform modules can be found here, https://github.com/zscaler/terraform-azurerm-cloud-connector-modules/
Let's describe how this new capability works in more detail.
Customers specify(via terraform variables);
So if using the defaults, the minimum number of Cloud Connectors per VMSS will be 2, and can scale out to a maximum of 5. These numbers can be tailored, based on the requirements of the customer's environment.
Customers then specify thresholds(again via terraform variables) for scale out and scale in events. This is based on CPU utilization percentage of the Cloud Connectors.
With the default settings, if a Cloud Connectors CPU utilization is greater than 70% for 5 minutes, the scale set will automatically deploy an additional Cloud Connector, up to the maximum amount specified (default=5). Cooldown time is 15 minutes by default.
Then for Scale In, when a Cloud Connectors CPU utilization is less than 50% for 5 minutes, Cloud Connector count will be decreased by one, all the way down to the minimum amount(default =2) if required. Cooldown time is 15 minutes by default
See figure 2 for an example of scale out rule, and figure 3 for an example of a scale in rule.
Figure 2: Example Scale Out Rule
Figure3: Example Scale In Rule
There is also an option to configure scheduled VMSS scaling. Which enables customers to define the minimum number of Cloud Connectors for a specified time period.
For example, if high traffic times are Monday to Friday, 9AM to 5PM, customers can specify the number of additional Cloud Connectors to be available during this time. Then return to normal running state , outside of the defined time range.