IPsec Tunnel from Azure virtual Gateway to Zscaler


we are currently trying to establish a IPsec connection from Azure via the Azure virtual gateway to Zscaler.
But at the moment it isn´t working.
Does anyone have experience regarding this?

Thanks in advance.

Hi Constatin,

in the past there have been some limiting factors such as Azure VPN gateway not supporting NULL encryption and not initiating IKE. But today it should be possible to setup this outbound tunnel to Zscaler. Without any additional details it is hard to figure out why your setup is not working.

Before moving ahead with this … your email does not reveil much about the actual intent the setup. Are you trying to build a high available forwarding path of server workloads connecting to the Internet through ZIA? In that case Azure VPN gateway may not be the right choice. For example, so far it hasn’t proved to provide mechanisms to do an intelligent forwarding path failover from primary to secondary Zscaler DC based on L7 health-checks.

Not sure what you are trying to accomplish, but just wanted to let you know that this might be a blocker for running production workloads. There are better alternatives to achieve these goals …


Hi Luc,

I’m curious about what would be the best practise / recommended way to build a high available forwarding path of server workloads connecting to the Internet through ZIA ?
For now I’m also looking into setting up 2 IPSec tunnels from 1 Azure VPN gateway to 2 Zscaler locations. Failover/routing into these locations is a thing I’m strugling with.
I was also looking into the Azure Virtual WAN option but that is still in beta fase.

Hope to have added to the original question.

Regards, Martin

1 Like

We already solved the problem, it was a misconfiguration of us in the azure portal.

1 Like

Great if you can publish the steps to configure the same …

1 Like

Hello Constantin,

We’re doing the same thing but is getting difficulties establishing the tunnel to Zscaler. Would you mind what was adjusted on your end for Azure?



Hi all,

we used power shell to deploy the connection to azure, because with power-shell you are able to set the parameters of the IPsec connection. I´ve used the commands in the text file i attached.azure-powershell.txt (404 Bytes)

And it is important that you put in the address space of the specific ZEN in the address space field of the local network gateway. This worked for us. I recommend IKEv2.


Power shell script doesn’t have preshared key ? Is that to configure via GUI ?

I deployed the connection with the PSK via power - shell:
New-AzVirtualNetworkGatewayConnection -Name $connection_name -ResourceGroupName $resourcegroup -VirtualNetworkGateway1 $vng -LocalNetworkGateway2 $lng1 -Location germanywestcentral -ConnectionType IPsec -IpsecPolicies $IPsecPolicyZIA -UsePolicyBasedTrafficSelectors $true -SharedKey ‘$psk’

1 Like