AWS Direct access


(Lior) #1

Hello All
We are seeing more and more customers with AWS applications which are restricted to the gateway IP address. When deploying Zscaler, the IP changes to the ZEN pool, thus services are denied.

What would be the best way to handle such scenarios?
With adding the ZEN public pool to the access control not being a secure solution, is there an efficient way to map AWS pools and set them on a route-map to go direct?

Can anyone share experience with such scenarios?

Thank you!

(Sumukh Rao) #2

Hi Lior,

Considering that the Zscaler is a shared platform we do not allocate specific egress IP addresses to the customers using the service. However, we insert a XFF header on the traffic being sent out to the original server with the actual customer’s IP that we received the traffic on.

If the server can look at the XFF and allow access that would be ideal.

Some customers also use/deploy V-Zens as an option to ensure dedicated egress Ip addresses.

Thank you!

(Bill Fehring) #3

AWS does not look at XFF for security groups or network ACLs.

(Lior) #4

Is it possible to narrow down the IP addresses used by the ZEN for NAT?
For example, NYC ZEN is currently listed with /24 range, are all IPs used for this purpose?

Any other suggestions for a solution?

(Scott Bullock) #5

Today any IP in the /24 may be used for the DC source. Is this use-case
you are solving related to 3rd party IP whitelisting?

(Lior) #6

The current customer has a vm in aws which is allowing access from corporate locations IPs.
I am thinking if there are any other solutions:

  1. allow access to the vm from all zscaler IP addresses (very extensive permission).
  2. bypass the entire aws traffic (requires massive acl settings to forward traffic directly, difficult to maintain, would make this traffic invisible to IT).

(Scott Bullock) #7

This a good use case for VZEN, and also a great use case for ZPA (put a
connector next to the AWS App).

They are the only two options which come to mind.