implementing-zero-trust-network-access
Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.
What this skill does
# Implementing Zero Trust Network Access ## When to Use - When replacing traditional VPN-based remote access with identity-based access controls - When implementing micro-segmentation to limit lateral movement within cloud networks - When compliance or security strategy requires zero trust architecture adoption - When providing secure access to cloud workloads without exposing them to the public internet - When building context-aware access policies based on user identity, device health, and location **Do not use** as a complete replacement for network security controls (ZTNA complements but does not replace firewalls and network ACLs), for protecting internet-facing public applications (use WAF), or for IoT device access where identity-based authentication is not feasible. ## Prerequisites - Identity provider (Entra ID, Okta, Google Workspace) with MFA enforcement - Cloud-native networking capabilities (AWS PrivateLink, Azure Private Link, GCP IAP) - Device management solution (Intune, Jamf, CrowdStrike) for device posture assessment - Service mesh or zero trust proxy (Cloudflare Access, Zscaler ZPA, or cloud-native IAP) - Centralized logging for access decisions and policy enforcement ## Workflow ### Step 1: Deploy GCP Identity-Aware Proxy (IAP) for Application Access Configure IAP to provide authenticated access to web applications without VPN. ```bash # Enable IAP API gcloud services enable iap.googleapis.com # Configure OAuth consent screen gcloud iap oauth-brands create \ --application_title="Corporate Apps" \ [email protected] # Enable IAP on an App Engine application gcloud iap web enable \ --resource-type=app-engine \ --oauth2-client-id=CLIENT_ID \ --oauth2-client-secret=CLIENT_SECRET # Enable IAP on a backend service (GCE/GKE) gcloud compute backend-services update BACKEND_SERVICE \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \ --global # Set IAP access policy (who can access) gcloud iap web add-iam-policy-binding \ --resource-type=app-engine \ --member="group:[email protected]" \ --role="roles/iap.httpsResourceAccessor" # Configure access levels based on device and context gcloud access-context-manager levels create corporate-device \ --title="Corporate Managed Device" \ --basic-level-spec=level-spec.yaml \ --policy=POLICY_ID ``` ### Step 2: Implement AWS Verified Access for Zero Trust Deploy AWS Verified Access to provide identity-based access to internal applications. ```bash # Create a Verified Access trust provider (OIDC) aws ec2 create-verified-access-trust-provider \ --trust-provider-type user \ --user-trust-provider-type oidc \ --oidc-options '{ "Issuer": "https://login.microsoftonline.com/TENANT_ID/v2.0", "AuthorizationEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize", "TokenEndpoint": "https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token", "UserInfoEndpoint": "https://graph.microsoft.com/oidc/userinfo", "ClientId": "CLIENT_ID", "ClientSecret": "CLIENT_SECRET", "Scope": "openid profile email" }' # Create a Verified Access instance aws ec2 create-verified-access-instance \ --description "Zero Trust Access Instance" # Attach trust provider to instance aws ec2 attach-verified-access-trust-provider \ --verified-access-instance-id vai-INSTANCE_ID \ --verified-access-trust-provider-id vatp-PROVIDER_ID # Create a Verified Access group with policy aws ec2 create-verified-access-group \ --verified-access-instance-id vai-INSTANCE_ID \ --policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": "*", "Action": "verified-access:AllowAccess", "Condition": { "StringEquals": { "verified-access:user/groups": "engineering" } } }] }' # Create endpoint for an internal application aws ec2 create-verified-access-endpoint \ --verified-access-group-id vag-GROUP_ID \ --endpoint-type load-balancer \ --attachment-type vpc \ --domain-certificate-arn arn:aws:acm:REGION:ACCOUNT:certificate/CERT_ID \ --application-domain app.internal.company.com \ --endpoint-domain-prefix app \ --load-balancer-options '{ "LoadBalancerArn": "arn:aws:elasticloadbalancing:REGION:ACCOUNT:loadbalancer/app/internal-app/xxx", "Port": 443, "Protocol": "https", "SubnetIds": ["subnet-xxx"] }' ``` ### Step 3: Configure Azure Private Link and Conditional Access Set up Azure Private Link for network isolation and conditional access for identity-based controls. ```bash # Create Private Endpoint for an Azure service az network private-endpoint create \ --name app-private-endpoint \ --resource-group production-rg \ --vnet-name production-vnet \ --subnet private-endpoint-subnet \ --private-connection-resource-id /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Web/sites/internal-app \ --group-ids sites \ --connection-name app-connection # Configure private DNS zone for the service az network private-dns zone create \ --resource-group production-rg \ --name privatelink.azurewebsites.net az network private-dns link vnet create \ --resource-group production-rg \ --zone-name privatelink.azurewebsites.net \ --name production-link \ --virtual-network production-vnet \ --registration-enabled false ``` ```powershell # Create Conditional Access policy requiring compliant device + MFA Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" $params = @{ DisplayName = "Zero Trust - Require MFA and Compliant Device" State = "enabled" Conditions = @{ Applications = @{ IncludeApplications = @("All") } Users = @{ IncludeUsers = @("All") ExcludeGroups = @("BreakGlass-Group-ID") } Locations = @{ IncludeLocations = @("All") ExcludeLocations = @("AllTrusted") } } GrantControls = @{ Operator = "AND" BuiltInControls = @("mfa", "compliantDevice") } SessionControls = @{ SignInFrequency = @{ Value = 4 Type = "hours" IsEnabled = $true } } } New-MgIdentityConditionalAccessPolicy -BodyParameter $params ``` ### Step 4: Implement Micro-Segmentation with Network Policies Deploy network-level micro-segmentation to complement identity-based access controls. ```bash # AWS: Create security groups for micro-segmentation aws ec2 create-security-group \ --group-name web-tier-sg \ --description "Web tier - only HTTPS from ALB" \ --vpc-id vpc-PROD aws ec2 authorize-security-group-ingress \ --group-id sg-WEB \ --protocol tcp --port 443 \ --source-group sg-ALB aws ec2 create-security-group \ --group-name app-tier-sg \ --description "App tier - only from web tier" aws ec2 authorize-security-group-ingress \ --group-id sg-APP \ --protocol tcp --port 8080 \ --source-group sg-WEB # Kubernetes NetworkPolicy for pod-level segmentation cat << 'EOF' | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: api-allow-web-only namespace: production spec: podSelector: matchLabels: app: api-server policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: web-frontend ports: - protocol: TCP port: 8080 EOF ``` ### Step 5: Enable Continuous Verification and Logging Implement continuous trust verification rather than one-time authentication. ```bash # Configure CloudWatch to monitor access decisions aws logs create-log-group --log-group-name /verified-access/access-logs # Enable Verified Access logging aws ec2 modify-verified-access-instance-logging-configuration \ --verified-access-instance-id vai-INSTANCE_ID \ --access-logs '{ "CloudWatchLogs": { "Enabled": true, "LogGroup": "/verified-access/
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.