Source IP Anchoring

Hi folks,
I went over the articles for IP anchoring. I understood how to configure it, but I finished the doc with more doubts.
I have a theory of how it works, by sending traffic to ZIA (all security engines apply here) then from ZIA traffic goes to ZPA to the App Connector and from there it goes directly to the Internet (No need to pass through Zscaler this time) Is that how it works?

Also, the way to specify the traffic that I want to keep our public IP is per App Segment, so, that means that I need a application segment per subnets that I want to keep the public IP when going out?

Also, Does this traffic counts toward the maximum bandwidth an App connector supports, if that is the case, Should I need to deploy a “special” App connector dedicated to this??

I could not found much more documentation about this topic and I felt the articles are focused only in how to configure it.
Has anyone configured this and had it working? Or anyone has some other info besides:
About Source IP Anchoring | Zscaler and Configuring Source IP Anchoring | Zscaler

Appreciate any help, thanks !

In order of the questions:
-Yes, pretty much
-App Segments must be defined based on FQDN, not IP. Once created (and tagged as SIPA) it automatically becomes available in ZIA
-Yes, traffic passes the Connector as normal. You don’t need a dedicated Connector for this traffic, but you can do it if this traffic is particularly important or voluminous (as with all App segments)

In general, see SIPA as regular ZPA traffic, except that it’s sourced by ZIA. However, if you use ZCC, make sure that this traffic isn’t picked up by ZPA directly (since bypassing ZIA means you no longer have its security)
You can use the ZPA forwarding policy to influence this

2 Likes

Thank you jhage for the answer,

When you said an App Segment must be defined based in FQDN instead of IP, it raised another question.
How can I do for my local LAN, lets say for example that I want all my users on subnet 10.1.1.0/24 to keep our company public IP when go to the internet. How can I achieve that by using an FQDN in the App Segment? Is it IP Anchoring only for traffic from specfic applications? Is not possible to “anchor” to my public IP the local user traffic?
Im feeling like I got this wrong since the begining and it is not for what I thought it was.
Thank you a lot jhage!