Question about Source IP Anchoring


We’ll access third party service, where will do whitelistening our trust public IP to access their services.
As the option to mitigate the security gap, we’re considering Source IP Anchoring as the option.
I’ve searched some relevant documents from Zscaler websites, but still struggling some to clearify the service flow of Source IP Anchoring.
If I am understanding correctly, it will use ZPA(App Connector) and it’s also using private ZEN or virtual ZEN. Do both App connector and private ZEN need to be set for Source IP Anchoring or just either one out of two elements? The principle of the service traffic flow using IP Anchoring is not clear for me.
Can anyone help me clarify this?
BTW, we’re running ZPA currently.


Hi Kay,
Private ZEN is not required and we use several dedicated SIPA Azure App Connectors (based on client GDPR requirements and GEO to Public ZENs) with static Public IP’s.

But If you want to use ZIA with SIPA then you’ll need to configure a ‘Forwarding Control’ policy.

Happy to share more but I think that’s the only bit you are missing unless you are using ZPA only ?



in a nutshell you can think of SIPA vs ZPA like
ZPA ‘jumphost towards internal machines’
SIPA ‘jumphost towards external machines’

in both cases the system you want to access will either see the ZPA connectors internal IP address as source or the SIPA connectors external IP as source.
Or the other way around - if you have to access 3rd party systems who are not willing to whitelist whole ZScaler ranges (or at least one CENR range) SIPA is the way to handle that.

In both cases traffic flow is
client->ZS cloud->connector->system you want to reach

Hope this makes sense.

Thanks Thomas.

We’re trying to use SIPA to access external third party service from our internal network through ZS.
We’re already operating ZPA with App Connectors hosted in our DC.
Can we share the same App Connector with SIPA or we need to set any kind of dedicated App Connector for SIPA?
If we can use our existing ZPA App Connector for SIPA, According to the traffic flow you mentioned, the traffic to the external service will be sent to ZS Cloud first and then sent back to the App Connector in our DC site and finally sent to the external service destination.
Is it correct?

Thanks G-Man,

We’re already running ZPA with App Connector hosted in our DC. (behind DC firewall)
I am wondering if we can use our App Connector for SIPA in this case.

You would need to setup a dedicated connector instance to act as SIPA

Traffic flow can be seen here: