How does Zscaler Internet Access itself route the traffic to the internet, using what outgoing/next hop GW

We have a few question related to ZIA and how the traffic being handled and routed inside Zscaler Internet Access
(1) Once the traffic is re-directed to ZIA using IPSec or GRE, how does ZIA routes the traffic outside to the internet/SaaS?, using some internal gateway or router ? is there any internal routing inside ZIA to indicate which gateway to use as next hop to the internet (secured/allowed traffic to the internet)

(2) How does ZIA route back to the source, is there any real time sessions/connections tables that being tracked by ZIA and learned by ZIA ?

(3) Is there any way to fetch the above information (+ traffic logs) from ZIA API


Is your question related to the following topic?

Thanks Ben for your response.

Actually the questions are more about Zscaler Internet Access (internal architecture)
How does Zscaler route the traffic outside to the internet, is there any internal “routing table” being maintained by Zscaler Internet access to select the next hop gateway

Great question! I wish I knew the answer first-hand. All I am aware of is the help documentation for ZIA Architecture.

I am also going to tag @rburkett who might be able to point us down the right path.

1 Like

ZIA has direct BGP peerings to many large telcos like Lumen and Vodafone and *aaS providers such as AWS and Microsoft, so these are very low latency connections to the Internet at large. I do not know what routing equipment is in use, but it’s definitely BGP routing once it leaves the Service Edge.

Internally, my understanding is that there is no routing to speak of. Once a packet is received by the Service Edge, it is sent on the backplane to an enforcement node, processed on all enforcement planes simultaneously, and then sent out to the Internet if all checks are passed.

Getting traffic back to the client is very simple. With IPSEC/GRE, it works just like any other PTP VPN. With ZCC, the client builds a SSL microtunnel to the Service Edge and ZIA knows to return it down the same tunnel.

If you want to trace the network path, I highly recommend using ZCC on your endpoints instead of IPSEC or GRE and then subscribing to ZDX and leveraging the CloudPath feature. It’s honestly incredible insight, and I had my client buy it for that feature alone. Traffic logs are all going to be found in ZIA, but you’re not going to have the insight into the backend of ZIA. That is understandably well-guarded intellectual property.

1 Like

Thank you! Dan :),


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.