Azure Virtual WAN Integration Overview and Demo

Moving workloads to Microsoft’s Azure cloud is a popular choice for organizations. But like all data services, security is still required, and Zscaler is an approved Security As A Service (SecAAS) provider.

Connecting Zscaler and Azure can be handled via an encrypted IPsec connection. We’ve recently made this easier with the generally avaialble (GA) of our one-touch configuration to all customers. Leveraging Microsofts APIs we’ve been able to automate the setup of the IPsec connection between the Azure and Zscaler clouds. In this talk I’ll start by introducing you to concepts around:

  • Azure Virtual Hub replaces the use of third party virtual gateways
  • The differences between a Virtual Hub and a Secured Virtual Hub
  • Azure Firewall Manager operation
  • Prerequisits for Zscaler to connect to Azure via IPsec

From there I’ll demonstrate how this functionality can be configured, showing the end-to-end setup. You can learn more about Azure Virtual WAN here


Great video, thanks for sharing! Couple of questions.

Let’s say I configured the Gateway scale until to 500 Mbps on day 1. About a year later, I am now tapping the ceiling of that throughput. Can I go back into the secured virtual hub and change the gateway scale units or do I have to redeploy entirely? Also, from a resiliency perspective, how would the customer monitor to ensure they don’t run into limits? Or is our recommendation to just deploy the secured virtual hub with a crazy scale like 4gbps?

A customer wants to know, after tunnels has been created, can we change the role from contributor to something else, which has less privileges?

If they do that, they will not be able to make any future changes to the tunnel. like deleting it.
If they want to reduce the scope of the role, just assign it to the relevant Resource Group, so it can not make change to anything else on Azure.

@mjasyal can you answer my questions above?

I am not sure if the hub can be reconfigured to higher bandwidth. I’ll have to check.

When you are spinning up the secure wan hub, you can select other options beyond 500Mbps. Is that a static value only? You’d think they could change it.

Please forgive me if this is the wrong forum. Any idea’s on how I leverage Zscaler connectivity in Azure to access Azure file Shares? Thanks

Thank you for the demo. I would like to know if this can be used with the Azure Virtual WAN User VPN (P2S VPN) I would like to force users internet traffic to go through Zscaler when they are connected to the Azure client VPN. Please advise if this is the best way to achieve controlling users’ internet breakout as the Azure Client VPN only currently supports split tunneling?

Quite interesting feature, i think this is exactly what am looking for, to control the Azure Server traffic with Zscaler. Thanks for the demo

When I try to put in a sub location on an azure virtual wan location, it wont save because I can’t add a “name.” The name field is just “_ _ _” anyway to fix this?

Is there a method to bypass traffic from being forwarded to Zscaler? We have a requirement to bypass specific URL’s from going to Zscaler so that we can whitelist our Azure IP’s at the destination host!

Wow, it’s 6/2021 and they still haven’t fixed this as i’m having this issue also! They said to import csv file smh

Hi all,
I have a query more on Azure DC internet traffic controlled via zscaler internet access.
We have IPsec site to site tunnels in place to zscaler and no issues on zscaler connection,but we have an issue to avoid certain azure microsoft URLs which is within microsoft network and in same LAN not to be routed through zscaler mainly on few microsoft distribution updates.
How can we have this achievable easily.

Today just due to this reason we could not achieve benefit of zscaler for azure DC.

Any guidance would be appreciated