What tunnels does ZPA use?


I am trying to understand how ZPA works at the network level. From what I can gather, ZPA Client connector app sets up a tunnel to ZPA Service Edge node (either public or hosted in an enterprise DC) and an inside out tunnel is setup from the App connector to the ZPA Service Edge. These two tunnels are stitched together for the end to end connectivity. Are these two tunnels IPSec ?

Is IPSec a requirement or TLS can be used ? I also see some questions in the forum about using GRE tunnels. When is GRE recommended ? Trying to wrap my head around what kind of tunnel options ZPA supports and the pros/cons.


The client connector application on a users device creates a mutually authenticated TLS tunnel towards the ZPA public or private service edge, and the app connector creates a TLS tunnel towards the same ZPA public or private service edge.

Traffic from the client is forwarded via a Microtunnel (M-tunnel) for each application. This M-tunnel is actually within the TLS tunnel towards the ZPA service edge, and extends via the TLS tunnel created by the app connector.

The article (link below) should help you understand further. In short ZPA utilises TLS tunnels from the client connector and the app connector to the ZPA service edges, no IPSec or GRE is required.
GRE and IPSec tunnels are associated with Zscaler Internet Access.