Migrating to the cloud offers organizations greater scale and agility for deploying applications. But with that agility comes greater complexity and a higher volume of manual tasks. These challenges prevent operators from taking full advantage of the benefits the cloud offers and increases strain on their teams. To address these challenges, operators need a way to automate and optimize their existing processes to move at the speed that cloud networking demands.
The complexity of managing the security policies and compliance for those applications, exacerbated by the technical difficulties faced by security teams who use manual processes for change management, may lead to delays in implementation and operations, as well as security risks.
An application can be made both continuously secure and reliable, with closer collaboration between the DevOps and DevSecOps teams, via practices that reinforce security at every stage of the development pipeline.
Transparent security promotes expedited application deployment and makes the DevOps and Platform team an equal stakeholder in producing highly resilient and secure applications.
The DevOps Promise and Reality
The promise of DevOps is to deliver a fully automated continuous integration, delivery, and deployment all the way to the point where users can consume those services.
However, the reality in many organizations is that they still are not able to implement a fully automated process when deploying applications into their production environment.
Instead, many organizations still rely on manual processes and multiple teams to fully manage their day-N operations, which hinder the progress of making those applications available to the end user quickly, consistently, and securely.
Application developers that need to scale their applications are typically required to create new change management tickets that flow through multiple teams in the organization such as system admins, network admins, and security operations. All of which have their own timelines and requirements to ensure a change can be deployed. This is a process that in some cases, may require multiple change requests, and in the end, there’s still the need to manually configure the required changes for the final consumption.
All these promises and challenges, increase the risk of mistakes, slow the process, and prevent a standardized deployment model.
Consul-Terraform-Sync
Network Infrastructure Automation is how HashiCorp Consul addresses the complexities of cloud-based services and enables dynamic updates across a multi-cloud environment to ensure consistent security and compliance at the speed applications are developed, deployed, and made available for user consumption.
One way that Consul provides infrastructure automation is through Consul-Terraform-Sync (CTS). Consul-Terraform-Sync runs a daemon that watches Consul state changes at the application layer (based on service health changes, new instance deployed, etc) and forwards the data to the Zscaler Terraform modules that are then automatically triggered.
CTS uses Terraform as its underlying automation tool and leverages the Terraform Provider ecosystem to drive relevant changes. All these capabilities combined allow organizations to automate their day-N operations, so that the infrastructure is in constant alignment with the application state, while at the same time, the entire process is abstracted into a declarative model, as displayed in the picture below:
In addition to all the benefits mentioned thus far, CTS guarantees that your automation process across the Zscaler platform is easily repeatable with consistent results.
Zscaler + Consul-Terraform-Sync (CTS)
Many organizations leveraging Zscaler to secure their cloud environment and control their user’s access via zero trust policies are adopting more of a DevOps mindset every day. These organizations require agility and tools that will enable their teams to deploy applications fast and securely regardless of the environment where those applications will be hosted.
Zscaler’s integration with Consul-Terraform-Sync (CTS) provides 3 different modules for complete automation of day-N operations.
Using Consul-Terraform-Sync (CTS), Zscaler and HashiCorp Consul can facilitate day-N dynamic updates across the Zscaler platform based on application and security teams' demands. This joint solution was designed with scalability in mind while at the same time maintaining a zero-trust model.
As new services are registered or deregistered from the Consul catalog, Consul-Terraform-Sync updates application segments or application server IP addresses, FQDNs, and TCP ports for the relevant applications in the Zscaler Private Access platform.
The module is also designed to update Zscaler Internet Access Cloud Firewall module IP Source Groups to ensure only authorized IP addresses monitored by Consul are filtered via predefined Cloud Firewall rules.
Zscaler Private Access with Consul-Terraform-Sync (CTS)
Zscaler Private Access provides 2 CTS automation modules, which leverages the ZPA Terraform Provider
Zscaler Internet Access with Consul-Terraform-Sync (CTS)
Zscaler Internet Access CTS module utilizes the ZIA Terraform Provider, to create, update, or delete Source IP Group entries. The Source IP Groups allow you to group and control source IP addresses within the Zscaler Cloud Firewall, by specifying individual IP addresses.
This CTS module will dynamically add, update, or delete individual application IP addresses within a Source IP Group.
Benefits
Eliminate manual ticketing processes
Consul-Terraform-Sync is designed to automate many different tasks across different cloud environments that are traditionally handled manually by DevOps teams.
For example, updating entries at scale in a Zscaler Private Access application segment or updating IP source group entries in the Zscaler Internet Access that can automatically reflect in a cloud firewall rule.
Native Integration Between CTS and Terraform Cloud
Organizations leveraging Consul Enterprise and Terraform Cloud can integrate Consul-Terraform-Sync via its native “terraform-cloud” driver. By leveraging Terraform cloud with CTS, there are multiple benefits such as creating different project folders and workspaces for different requirements, as well as moving workspaces in between projects.
Terraform Cloud provides the ability to configure notifications to external systems such as webhooks, Teams, email, and Slack. If the organization requires a review of a particular configuration before they are applied to the production environment, customers can configure these notification capabilities to send a webhook notification to an ITSM system such as ServiceNow for incident creation and approval.
Adopt Best Practices and Reduce Risk
Minimize impact from misconfiguration errors across multiple ZPA application segments and ZIA IP Source Groups. This CTS integration will not only help organizations to reduce their risk but also ensure that their ZPA and ZIA constructs are kept up to date according to the state of their real application environment, and as changes are performed.
Related Resources:
By submitting the form, you are agreeing to our privacy policy.