feat: gwlb configuration changes

zscaler · Feb 2, 2023 · 1aad7ea · 1aad7ea
1 parent 1a944df
commit 1aad7ea
Show file tree

Hide file tree

Showing 17 changed files with 222 additions and 54 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@
 * name_prefix variable default string changed from zsdemo to zscc
 * validation length constraint added to name_prefix variable
 * dependency fixes for vpc/subnet data resource selection when vpc was originally created with example templates
+* GWLB default changes/new features: 
+    - Enable rebalance
+    - flow stickiness set to 2-tuple (src/dst)
+    - deregistration delay disabled
+    - healthy_threshold lowered from 3 to 2
 
 ## v0.1.0 (December 15, 2022) 
 * github release refactor from Cloud Connector Portal

diff --git a/examples/base_cc_gwlb/README.md b/examples/base_cc_gwlb/README.md
@@ -97,13 +97,15 @@ From base_cc_gwlb directory execute:
 | <a name="input_ccvm_instance_type"></a> [ccvm\_instance\_type](#input\_ccvm\_instance\_type) | Cloud Connector Instance Type | `string` | `"m5.large"` | no |
 | <a name="input_cross_zone_lb_enabled"></a> [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
 | <a name="input_deregistration_delay"></a> [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
+| <a name="input_flow_stickiness"></a> [flow\_stickiness](#input\_flow\_stickiness) | Options are 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip). By default, Zscaler recommends 2-tuple to maintain flow stickiness to a specific target appliance. | `string` | `"2-tuple"` | no |
 | <a name="input_gwlb_enabled"></a> [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
 | <a name="input_health_check_interval"></a> [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
 | <a name="input_healthy_threshold"></a> [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| <a name="input_rebalance_enabled"></a> [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
 | <a name="input_reuse_iam"></a> [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
 | <a name="input_reuse_security_group"></a> [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
 | <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | AWS Secrets Manager Secret Name for Cloud Connector provisioning | `string` | n/a | yes |

diff --git a/examples/base_cc_gwlb/main.tf b/examples/base_cc_gwlb/main.tf
@@ -193,6 +193,8 @@ module "gwlb" {
   unhealthy_threshold      = var.unhealthy_threshold
   cross_zone_lb_enabled    = var.cross_zone_lb_enabled
   deregistration_delay     = var.deregistration_delay
+  flow_stickiness          = var.flow_stickiness
+  rebalance_enabled        = var.rebalance_enabled
 }
 
 

diff --git a/examples/base_cc_gwlb/terraform.tfvars b/examples/base_cc_gwlb/terraform.tfvars
@@ -2,7 +2,7 @@
 ## Uncomment and change the below variables according to your specific environment
 
 #####################################################################################################################
-##### Variables 1-17 are populated automically if terraform is ran via ZSEC bash script.   ##### 
+##### Variables 1-20 are populated automically if terraform is ran via ZSEC bash script.   ##### 
 ##### Modifying the variables in this file will override any inputs from ZSEC             #####
 #####################################################################################################################
 
@@ -129,26 +129,38 @@
 
 #cross_zone_lb_enabled                      = true
 
+## 15. Gateway loadbalancing hashing algorith. Zscaler recommended default is 2-tuple (source_ip_dest_ip).
+##     Additional options include: 3-tuple (source_ip_dest_ip_proto) and 5-tuple (None)
+##     Uncomment below the configuration you want to use.
 
-## 15. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+#flow_stickiness                            = "2-tuple"
+#flow_stickiness                            = "3-tuple"
+#flow_stickiness                            = "5-tuple"
+
+## 16. Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. 
+##     true means rebalance after deregistration. false means no_rebalance. (Default: true)
+##     Uncomment to turn this feature off (not recommended)
+
+#rebalance_enabled                          = false
+
+## 17. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
-
-## 16. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 18. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
 
-## 17. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
+## 19. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
 ##     Uncomment if you want to require manual acceptance. (true or false. Default: false)
 
 #acceptance_required                        = true
 
 
-## 18. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
+## 20. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
 ##     Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests"
 
 #allowed_principals                         = [\"arn:aws:iam::1234567890:root\"]
diff --git a/examples/base_cc_gwlb/variables.tf b/examples/base_cc_gwlb/variables.tf
@@ -213,3 +213,24 @@ variable "deregistration_delay" {
   description = "Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds."
   default     = 0
 }
+
+variable "flow_stickiness" {
+  type        = string
+  description = "Options are 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip). By default, Zscaler recommends 2-tuple to maintain flow stickiness to a specific target appliance. "
+  default     = "2-tuple"
+
+  validation {
+    condition = (
+      var.flow_stickiness == "2-tuple" ||
+      var.flow_stickiness == "3-tuple" ||
+      var.flow_stickiness == "5-tuple"
+    )
+    error_message = "Input flow_stickiness must be set to an approved value of either 5-tuple, 3-tuple, or 2-tuple."
+  }
+}
+
+variable "rebalance_enabled" {
+  type        = bool
+  description = "Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no_rebalance. Default: true"
+  default     = true
+}
diff --git a/examples/base_cc_gwlb_zpa/README.md b/examples/base_cc_gwlb_zpa/README.md
@@ -99,13 +99,15 @@ From base_cc_gwlb_zpa directory execute:
 | <a name="input_cross_zone_lb_enabled"></a> [cross\_zone\_lb\_enabled](#input\_cross\_zone\_lb\_enabled) | Determines whether GWLB cross zone load balancing should be enabled or not | `bool` | `false` | no |
 | <a name="input_deregistration_delay"></a> [deregistration\_delay](#input\_deregistration\_delay) | Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. | `number` | `0` | no |
 | <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables | `map(any)` | n/a | yes |
+| <a name="input_flow_stickiness"></a> [flow\_stickiness](#input\_flow\_stickiness) | Options are 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip). By default, Zscaler recommends 2-tuple to maintain flow stickiness to a specific target appliance. | `string` | `"2-tuple"` | no |
 | <a name="input_gwlb_enabled"></a> [gwlb\_enabled](#input\_gwlb\_enabled) | Default is true. Workload/Route 53 subnet Route Tables will point to network\_interface\_id via var.cc\_service\_enis. If true, Route Tables will point to vpc\_endpoint\_id via var.gwlb\_endpoint\_ids input. | `bool` | `true` | no |
 | <a name="input_health_check_interval"></a> [health\_check\_interval](#input\_health\_check\_interval) | Interval for GWLB target group health check probing, in seconds, of Cloud Connector targets. Minimum 5 and maximum 300 seconds | `number` | `10` | no |
 | <a name="input_healthy_threshold"></a> [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10 | `number` | `2` | no |
 | <a name="input_http_probe_port"></a> [http\_probe\_port](#input\_http\_probe\_port) | Port number for Cloud Connector cloud init to enable listener port for HTTP probe from GWLB Target Group | `number` | `50000` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | The name prefix for all your resources | `string` | `"zscc"` | no |
 | <a name="input_owner_tag"></a> [owner\_tag](#input\_owner\_tag) | populate custom owner tag attribute | `string` | `"zscc-admin"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | Public/NAT GW Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |
+| <a name="input_rebalance_enabled"></a> [rebalance\_enabled](#input\_rebalance\_enabled) | Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no\_rebalance. Default: true | `bool` | `true` | no |
 | <a name="input_reuse_iam"></a> [reuse\_iam](#input\_reuse\_iam) | Specifies whether the SG module should create 1:1 IAM per instance or 1 IAM for all instances | `bool` | `false` | no |
 | <a name="input_reuse_security_group"></a> [reuse\_security\_group](#input\_reuse\_security\_group) | Specifies whether the SG module should create 1:1 security groups per instance or 1 security group for all instances | `bool` | `false` | no |
 | <a name="input_route53_subnets"></a> [route53\_subnets](#input\_route53\_subnets) | Route 53 Outbound Endpoint Subnets to create in VPC. This is only required if you want to override the default subnets that this code creates via vpc\_cidr variable. | `list(string)` | `null` | no |

diff --git a/examples/base_cc_gwlb_zpa/main.tf b/examples/base_cc_gwlb_zpa/main.tf
@@ -196,6 +196,8 @@ module "gwlb" {
   unhealthy_threshold      = var.unhealthy_threshold
   cross_zone_lb_enabled    = var.cross_zone_lb_enabled
   deregistration_delay     = var.deregistration_delay
+  flow_stickiness          = var.flow_stickiness
+  rebalance_enabled        = var.rebalance_enabled
 }
 
 

diff --git a/examples/base_cc_gwlb_zpa/terraform.tfvars b/examples/base_cc_gwlb_zpa/terraform.tfvars
@@ -17,7 +17,7 @@
 
 
 #####################################################################################################################
-##### Variables 1-17 are populated automically if terraform is ran via ZSEC bash script.   ##### 
+##### Variables 1-20 are populated automically if terraform is ran via ZSEC bash script.   ##### 
 ##### Modifying the variables in this file will override any inputs from ZSEC             #####
 #####################################################################################################################
 
@@ -144,26 +144,39 @@
 
 #cross_zone_lb_enabled                      = true
 
+## 15. Gateway loadbalancing hashing algorith. Zscaler recommended default is 2-tuple (source_ip_dest_ip).
+##     Additional options include: 3-tuple (source_ip_dest_ip_proto) and 5-tuple (None)
+##     Uncomment below the configuration you want to use.
 
-## 15. By default, this script will apply 1 Security Group per Cloud Connector instance. 
+#flow_stickiness                            = "2-tuple"
+#flow_stickiness                            = "3-tuple"
+#flow_stickiness                            = "5-tuple"
+
+## 16. Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. 
+##     true means rebalance after deregistration. false means no_rebalance. (Default: true)
+##     Uncomment to turn this feature off (not recommended)
+
+#rebalance_enabled                          = false
+
+## 17. By default, this script will apply 1 Security Group per Cloud Connector instance. 
 ##     Uncomment if you want to use the same Security Group for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_security_group                       = true
 
 
-## 16. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
+## 18. By default, this script will apply 1 IAM Role/Instance Profile per Cloud Connector instance. 
 ##     Uncomment if you want to use the same IAM Role/Instance Profile for ALL Cloud Connectors (true or false. Default: false)
 
 #reuse_iam                                  = true
 
 
-## 17. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
+## 19. By default, the VPC Endpoint Service created will auto accept any VPC Endpoint registration attempts.
 ##     Uncomment if you want to require manual acceptance. (true or false. Default: false)
 
 #acceptance_required                        = true
 
 
-## 18. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
+## 20. By default, the VPC Endpoint Service is configured to auto accept any VPC Endpoint registration attempts from any principal in the current AWS Account.
 ##     Uncomment if you want to override this with more specific/restrictive principals. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests"
 
 #allowed_principals                         = [\"arn:aws:iam::1234567890:root\"]
diff --git a/examples/base_cc_gwlb_zpa/variables.tf b/examples/base_cc_gwlb_zpa/variables.tf
@@ -203,6 +203,27 @@ variable "deregistration_delay" {
   default     = 0
 }
 
+variable "flow_stickiness" {
+  type        = string
+  description = "Options are 5-tuple (src ip/src port/dest ip/dest port/protocol), 3-tuple (src ip/dest ip/protocol), or 2-tuple (src ip/dest ip). By default, Zscaler recommends 2-tuple to maintain flow stickiness to a specific target appliance. "
+  default     = "2-tuple"
+
+  validation {
+    condition = (
+      var.flow_stickiness == "2-tuple" ||
+      var.flow_stickiness == "3-tuple" ||
+      var.flow_stickiness == "5-tuple"
+    )
+    error_message = "Input flow_stickiness must be set to an approved value of either 5-tuple, 3-tuple, or 2-tuple."
+  }
+}
+
+variable "rebalance_enabled" {
+  type        = bool
+  description = "Indicates how the GWLB handles existing flows when a target is deregistered or marked unhealthy. true means rebalance. false means no_rebalance. Default: true"
+  default     = true
+}
+
 variable "domain_names" {
   type        = map(any)
   description = "Domain names fqdn/wildcard to have Route 53 redirect DNS requests to Cloud Connector for ZPA. Refer to terraform.tfvars ZPA/Route 53 specific variables"