Zscaler Zero Trust Cloud -New Zero Trust Gateway Service Salim Zia (Senior Product Marketing Manager)

This blog is co-authored by Gina McFarland, Solutions Architect, AWSIntroductionThe Zscaler Zero Trust Cloud solution transforms how customers secure their workloads and workload traffic deployed in public clouds such as AWS or in on-premises data centers and private clouds.Built on the Zscaler Zero Trust Exchange, the world’s largest inline cloud security platform, the solution simplifies cloud workload security for enterprises. It offers consistent, comprehensive threat and data protection with common security policies and cloud-scale TLS inspection. It eliminates lateral movement and reduces the attack surface by connecting apps instead of networks and applying least-privilege access. The platform supports cloud-to-internet, cloud-to-cloud, cloud-to-data-center, and region-to-region connectivity and security, reducing operational costs and complexity.Customers use this solution to secure workload connections to the Internet or to other workloads. Security teams have often expressed a need for a managed offering in the public cloud that they can consume as a cloud-native service. Zscaler is introducing a new offering that adds a new deployment model that simplifies the operations to install, configure, and manage Zero Trust Cloud. Zero Trust Gateway ServiceZscaler Zero Trust Gateway service (ZTGW) allows customers to secure their workload traffic with just a few clicks. In this model, Zscaler takes on the responsibility of deploying, managing, and maintaining the security infrastructure in AWS, enabling customers to secure their cloud environment in minutes.With the fully managed service option, customers no longer need to deploy or manage Z-Connector VMs in their environment. Zscaler’s service provides a comprehensive solution that delivers high availability and scalability through native cloud technologies. Customers can focus solely on their business without concerns about scalability or infrastructure management. ZTGW Service offers numerous benefits that can be highly attractive to enterprises, making it a compelling model to adopt for an improved overall experience. Zscaler will also take full responsibility for managing the infrastructure and any costs related to these components, further reducing operational overhead for your organization.Auto Configuration/Dynamic Configuration/Smart configurationIn this service model, all infrastructure configurations are handled by Zscaler, streamlining what would typically require extensive preparation and testing before deployment in a customer environment. With optimized configurations, all necessary resources are quickly activated, securing the customer’s public cloud traffic within minutes.Resource Lifecycle management/Lifecycle Workflow ControlLifecycle management in a public cloud environment is essential, as it streamlines resource management across all stages—from creation and deployment to scaling, updating, and decommissioning. A key focus is cost optimization, which is supported through effective resource management. Service addresses this by tracking multiple metrics and responding as needed to ensure efficient resource use.Auto Scaling/Ondemand Scaling/Adaptive ScalingWith this service, customers no longer need to worry about the traffic volume that their security infrastructure can handle in terms of throughput and bandwidth. Zscaler leverages native adaptive scaling in the public cloud, ensuring resources are always available to manage customer traffic without requiring any configuration or monitoring on the customer’s part. This contrasts with resources running in the customer’s own environment, where they would typically need to manage, configure, and troubleshoot issues as they arise. This is what makes Zscaler the best, we deliver service offerings that take the complexity off your plate, so you can focus on what matters most to your business.Monitoring/VisibilityIn public clouds, default logging and monitoring capabilities are often limited to basic features with advanced features requiring licensing. However, with the service, customers gain access to detailed logs, offering in-depth visibility across their environments. The service also incorporates native adaptive scaling, automatically adjusting to handle any required events. Additionally, ZTGW allows monitoring of every packet, ensuring comprehensive insights and complete control over network traffic. This level of visibility and flexibility empowers customers to maintain high security and optimize performance with ease.LoggingCentralized logging in a multi-cloud environment offers a unified view of activities and insights across various cloud deployments. The service provides a single portal for multi-cloud logging, which simplifies management and also allows for real-time monitoring and troubleshooting, enabling faster incident response and minimizing potential downtime. This approach also helps reduce the complexity of managing logs across multiple environments, streamlining reporting and audit processes.Operational EfficiencyThe service significantly enhances operational efficiency by reducing the resource management burden on customers, especially during upgrades. Traditionally, managing resources and performing upgrades requires substantial effort from the customer’s end, involving planning, coordination, and sometimes downtime. Service handles all upgrades including major releases that can be on the OS image side or feature update, patches for any issues are seamlessly conducted without any outage or downtime. ArchitectureThe Zero Trust Gateway service operates on a service-to-consumer model in which Zscaler handles the full configuration, maintenance, and management of security infrastructure as a service. Customers simply consume this service through a Gateway Load Balancer endpoint (GWLBe), allowing them to secure and route their cloud traffic without the need to deploy, monitor, or troubleshoot infrastructure. By offloading infrastructure management to Zscaler, customers benefit from reduced operational complexity and improved performance. Deployment Architectures/Deployment and Design OptionsCustomers can easily connect ZTGW endpoints to their existing security, egress, or traffic inspection VPCs without requiring drastic changes to their current network setups. This approach aligns with commonly used and well-established architectural patterns. By simply connecting the endpoints and updating routes, organizations can seamlessly leverage the value of the Zscaler Zero Trust Exchange while utilizing their existing infrastructure.1. Centralized Architecture with Transit GatewayIn the public cloud landscape, customers have a few options in designing architectures to secure the traffic for their cloud resources. In the traditional Hub-and-Spoke model, a central Security VPC (hub) houses security devices which examine traffic before it exits the AWS network or moves between VPCs. This model leverages a Transit Gateway as the central connection point, facilitating consistent security policies and centralized monitoring across the spoke VPCs, making it effective for environments with heavy inter-VPC communication. The packet flow proceeds as follows: Traffic generated in the workload is directed to a destination that matches a subnet route table with a Transit Gateway attachment as the next hop.Once the packet arrives at the TGW, it is routed to the Gateway Load Balancer endpoint(GWLBe), which is registered with the ZS service as the next hop.The traffic reaches the service, where it goes through traffic forwarding rules to match the appropriate configuration.The traffic then lands on the Zero Trust Exchange, where it is inspected based on matching criteria before either being routed to the internet or directed toward a private application through ZPA 2. Decentralized Architecture with Endpoints in Each VPCIn contrast, a decentralized architecture using Gateway Load Balancer endpoints (GWLBe) enables direct connectivity from workload VPCs to ZS services without passing through a central hub. Leveraging AWS PrivateLink and Gateway Load Balancer (GWLB), each VPC can connect directly to ZTGW without relying on intermediary resources like a Transit Gateway. Many enterprises have adopted this model for network connectivity, and Zscaler has designed its solution to align with this approach, offering on-demand connectivity at the workload level without the complexity and manual intervention typically required with Transit Gateways or VPC peering. This design is particularly beneficial for environments with hundreds of accounts and VPCs, where traditional methods are less scalable (routing, peering etc).The packet flow is as follows: Traffic from a workload is directed according to the subnet route table, which has a default route pointing to GWLBe registered with the Zscaler service.The traffic arrives at the ZTGW, where it is processed based on configured policies and routed accordingly.Traffic can either be inspected within the Zscaler Zero Trust Exchange (ZTE) before routed to the internet or directed to a private application through ZPA. 3. Hybrid Architecture with GWLBe and Transit Gateway for Workload VPCsThis design is also commonly adopted by enterprises as it supports various use cases, particularly when VPCs have overlapping CIDR ranges and cannot connect through a Transit Gateway. In this model, workloads connect directly to the required service, bypassing the need for Transit Gateway connections and accommodating complex network configurations. This design is also highly effective in scenarios with different owners or partner environments, where both network segregation and security are essential before traffic reaches its destination. In such cases, having a clear separation while ensuring secure connectivity is critical, especially when handling sensitive or regulated data. With this service, enterprises can easily implement these requirements, achieving secure, seamless traffic management without the complexities typically associated with multi-tenant or partner environments. The packet flow is as follows: The image below illustrates two packet flows. In the first flow, a packet from the workload in AWS account 2 follows the subnet route table, reaching the Transit Gateway attachment, which then directs it to the GWLBe registered with the Zscaler service.In the second flow, traffic from AWS Account 1 is sent directly to the GWLBe, where it lands on the ZTGW for security inspection. BenefitsIn conclusion, Zscaler Zero Trust Gateway offers a sophisticated suite of features designed to enhance security and protect your organization from evolving cyber threats. Key capabilities of this service include:SSL Inspection: Provides comprehensive visibility and control over encrypted traffic to prevent threats hidden in SSL/TLS communicationAdvanced Threat Protection: Shields your organization from the latest malware, ransomware, and zero-day exploits.Data Protection: Safeguards sensitive information with robust data loss prevention(DLP) capabilities.DNS Protection: Secure DNS traffic to prevent malicious domains from compromising your systems.Sandboxing: Isolates and analyzes suspicious files in a controlled environment to prevent harmful content from entering your network.User-Defined Tags: Enabled through cloud-native tags, granular control is achieved by supporting tailored security policies for ZIA and ZPA.With the features listed above and more, Zscaler Zero Trust Gateway empowers you to achieve industry-leading Zero Trust Security. What’s NextYou can learn more about Zero Trust Cloud here. If you are interested in talking to a product expert to learn more about this service please connect with us here.  

​[#item_full_content] This blog is co-authored by Gina McFarland, Solutions Architect, AWSIntroductionThe Zscaler Zero Trust Cloud solution transforms how customers secure their workloads and workload traffic deployed in public clouds such as AWS or in on-premises data centers and private clouds.Built on the Zscaler Zero Trust Exchange, the world’s largest inline cloud security platform, the solution simplifies cloud workload security for enterprises. It offers consistent, comprehensive threat and data protection with common security policies and cloud-scale TLS inspection. It eliminates lateral movement and reduces the attack surface by connecting apps instead of networks and applying least-privilege access. The platform supports cloud-to-internet, cloud-to-cloud, cloud-to-data-center, and region-to-region connectivity and security, reducing operational costs and complexity.Customers use this solution to secure workload connections to the Internet or to other workloads. Security teams have often expressed a need for a managed offering in the public cloud that they can consume as a cloud-native service. Zscaler is introducing a new offering that adds a new deployment model that simplifies the operations to install, configure, and manage Zero Trust Cloud. Zero Trust Gateway ServiceZscaler Zero Trust Gateway service (ZTGW) allows customers to secure their workload traffic with just a few clicks. In this model, Zscaler takes on the responsibility of deploying, managing, and maintaining the security infrastructure in AWS, enabling customers to secure their cloud environment in minutes.With the fully managed service option, customers no longer need to deploy or manage Z-Connector VMs in their environment. Zscaler’s service provides a comprehensive solution that delivers high availability and scalability through native cloud technologies. Customers can focus solely on their business without concerns about scalability or infrastructure management. ZTGW Service offers numerous benefits that can be highly attractive to enterprises, making it a compelling model to adopt for an improved overall experience. Zscaler will also take full responsibility for managing the infrastructure and any costs related to these components, further reducing operational overhead for your organization.Auto Configuration/Dynamic Configuration/Smart configurationIn this service model, all infrastructure configurations are handled by Zscaler, streamlining what would typically require extensive preparation and testing before deployment in a customer environment. With optimized configurations, all necessary resources are quickly activated, securing the customer’s public cloud traffic within minutes.Resource Lifecycle management/Lifecycle Workflow ControlLifecycle management in a public cloud environment is essential, as it streamlines resource management across all stages—from creation and deployment to scaling, updating, and decommissioning. A key focus is cost optimization, which is supported through effective resource management. Service addresses this by tracking multiple metrics and responding as needed to ensure efficient resource use.Auto Scaling/Ondemand Scaling/Adaptive ScalingWith this service, customers no longer need to worry about the traffic volume that their security infrastructure can handle in terms of throughput and bandwidth. Zscaler leverages native adaptive scaling in the public cloud, ensuring resources are always available to manage customer traffic without requiring any configuration or monitoring on the customer’s part. This contrasts with resources running in the customer’s own environment, where they would typically need to manage, configure, and troubleshoot issues as they arise. This is what makes Zscaler the best, we deliver service offerings that take the complexity off your plate, so you can focus on what matters most to your business.Monitoring/VisibilityIn public clouds, default logging and monitoring capabilities are often limited to basic features with advanced features requiring licensing. However, with the service, customers gain access to detailed logs, offering in-depth visibility across their environments. The service also incorporates native adaptive scaling, automatically adjusting to handle any required events. Additionally, ZTGW allows monitoring of every packet, ensuring comprehensive insights and complete control over network traffic. This level of visibility and flexibility empowers customers to maintain high security and optimize performance with ease.LoggingCentralized logging in a multi-cloud environment offers a unified view of activities and insights across various cloud deployments. The service provides a single portal for multi-cloud logging, which simplifies management and also allows for real-time monitoring and troubleshooting, enabling faster incident response and minimizing potential downtime. This approach also helps reduce the complexity of managing logs across multiple environments, streamlining reporting and audit processes.Operational EfficiencyThe service significantly enhances operational efficiency by reducing the resource management burden on customers, especially during upgrades. Traditionally, managing resources and performing upgrades requires substantial effort from the customer’s end, involving planning, coordination, and sometimes downtime. Service handles all upgrades including major releases that can be on the OS image side or feature update, patches for any issues are seamlessly conducted without any outage or downtime. ArchitectureThe Zero Trust Gateway service operates on a service-to-consumer model in which Zscaler handles the full configuration, maintenance, and management of security infrastructure as a service. Customers simply consume this service through a Gateway Load Balancer endpoint (GWLBe), allowing them to secure and route their cloud traffic without the need to deploy, monitor, or troubleshoot infrastructure. By offloading infrastructure management to Zscaler, customers benefit from reduced operational complexity and improved performance. Deployment Architectures/Deployment and Design OptionsCustomers can easily connect ZTGW endpoints to their existing security, egress, or traffic inspection VPCs without requiring drastic changes to their current network setups. This approach aligns with commonly used and well-established architectural patterns. By simply connecting the endpoints and updating routes, organizations can seamlessly leverage the value of the Zscaler Zero Trust Exchange while utilizing their existing infrastructure.1. Centralized Architecture with Transit GatewayIn the public cloud landscape, customers have a few options in designing architectures to secure the traffic for their cloud resources. In the traditional Hub-and-Spoke model, a central Security VPC (hub) houses security devices which examine traffic before it exits the AWS network or moves between VPCs. This model leverages a Transit Gateway as the central connection point, facilitating consistent security policies and centralized monitoring across the spoke VPCs, making it effective for environments with heavy inter-VPC communication. The packet flow proceeds as follows: Traffic generated in the workload is directed to a destination that matches a subnet route table with a Transit Gateway attachment as the next hop.Once the packet arrives at the TGW, it is routed to the Gateway Load Balancer endpoint(GWLBe), which is registered with the ZS service as the next hop.The traffic reaches the service, where it goes through traffic forwarding rules to match the appropriate configuration.The traffic then lands on the Zero Trust Exchange, where it is inspected based on matching criteria before either being routed to the internet or directed toward a private application through ZPA 2. Decentralized Architecture with Endpoints in Each VPCIn contrast, a decentralized architecture using Gateway Load Balancer endpoints (GWLBe) enables direct connectivity from workload VPCs to ZS services without passing through a central hub. Leveraging AWS PrivateLink and Gateway Load Balancer (GWLB), each VPC can connect directly to ZTGW without relying on intermediary resources like a Transit Gateway. Many enterprises have adopted this model for network connectivity, and Zscaler has designed its solution to align with this approach, offering on-demand connectivity at the workload level without the complexity and manual intervention typically required with Transit Gateways or VPC peering. This design is particularly beneficial for environments with hundreds of accounts and VPCs, where traditional methods are less scalable (routing, peering etc).The packet flow is as follows: Traffic from a workload is directed according to the subnet route table, which has a default route pointing to GWLBe registered with the Zscaler service.The traffic arrives at the ZTGW, where it is processed based on configured policies and routed accordingly.Traffic can either be inspected within the Zscaler Zero Trust Exchange (ZTE) before routed to the internet or directed to a private application through ZPA. 3. Hybrid Architecture with GWLBe and Transit Gateway for Workload VPCsThis design is also commonly adopted by enterprises as it supports various use cases, particularly when VPCs have overlapping CIDR ranges and cannot connect through a Transit Gateway. In this model, workloads connect directly to the required service, bypassing the need for Transit Gateway connections and accommodating complex network configurations. This design is also highly effective in scenarios with different owners or partner environments, where both network segregation and security are essential before traffic reaches its destination. In such cases, having a clear separation while ensuring secure connectivity is critical, especially when handling sensitive or regulated data. With this service, enterprises can easily implement these requirements, achieving secure, seamless traffic management without the complexities typically associated with multi-tenant or partner environments. The packet flow is as follows: The image below illustrates two packet flows. In the first flow, a packet from the workload in AWS account 2 follows the subnet route table, reaching the Transit Gateway attachment, which then directs it to the GWLBe registered with the Zscaler service.In the second flow, traffic from AWS Account 1 is sent directly to the GWLBe, where it lands on the ZTGW for security inspection. BenefitsIn conclusion, Zscaler Zero Trust Gateway offers a sophisticated suite of features designed to enhance security and protect your organization from evolving cyber threats. Key capabilities of this service include:SSL Inspection: Provides comprehensive visibility and control over encrypted traffic to prevent threats hidden in SSL/TLS communicationAdvanced Threat Protection: Shields your organization from the latest malware, ransomware, and zero-day exploits.Data Protection: Safeguards sensitive information with robust data loss prevention(DLP) capabilities.DNS Protection: Secure DNS traffic to prevent malicious domains from compromising your systems.Sandboxing: Isolates and analyzes suspicious files in a controlled environment to prevent harmful content from entering your network.User-Defined Tags: Enabled through cloud-native tags, granular control is achieved by supporting tailored security policies for ZIA and ZPA.With the features listed above and more, Zscaler Zero Trust Gateway empowers you to achieve industry-leading Zero Trust Security. What’s NextYou can learn more about Zero Trust Cloud here. If you are interested in talking to a product expert to learn more about this service please connect with us here.