MSDN/ Documentation/ Azure/ Networking/ Virtual WAN/ Zscaler Integration

Integrate Azure Virtual WAN with Zscaler

Overview

This guide walks you through connecting Azure Virtual WAN to the Zscaler Cloud Security Platform. The integration provides secure, high‑performance internet traffic routing through Zscaler's global network.

  • Secure outbound traffic from Azure VNets
  • Policy‑based routing via Zscaler locations
  • Centralized reporting and analytics

Prerequisites

  • Azure subscription with Virtual WAN enabled.
  • Zscaler account with a ZIA (Zscaler Internet Access) subscription.
  • Network Security Group (NSG) rules allowing traffic to Zscaler IP ranges.
  • Azure PowerShell or Azure CLI installed.

Configuration Steps

1. Create a Virtual Hub

az network vhub create \
  --resource-group MyResourceGroup \
  --name MyVirtualHub \
  --address-prefix 10.0.0.0/24 \
  --location eastus

2. Deploy Zscaler Partner Configuration

Use the Azure Marketplace template to provision the Zscaler partner resource:

az deployment group create \
  --resource-group MyResourceGroup \
  --template-uri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-partner-zscaler/azuredeploy.json \
  --parameters hubName=MyVirtualHub zscalerTenantId=YOUR_TENANT_ID

3. Associate VNets

Link the VNets you want to protect to the Virtual Hub:

az network vhub connection create \
  --resource-group MyResourceGroup \
  --vhub-name MyVirtualHub \
  --name HubVnetConnection \
  --remote-vnet MyVNet \
  --address-prefixes 10.1.0.0/16

4. Configure Route Tables

Add a route table that forwards internet‑bound traffic to the Zscaler partner:

az network vhub route-table create \
  --resource-group MyResourceGroup \
  --vhub-name MyVirtualHub \
  --name ZscalerRouteTable \
  --routes '[{ "name": "ToZscaler", "addressPrefixes": ["0.0.0.0/0"], "nextHopIpAddress": "ZSCALER_IP" }]'

Validation

Verify the connection by checking the effective routes from a VM inside the protected VNet:

az network watcher show-effective-routes \
  --resource-group MyResourceGroup \
  --network-interface MyVMNic \
  --output table

Traffic should be routed to the Zscaler IP address for internet destinations.

Troubleshooting

  • Cannot resolve Zscaler IP? Ensure the Zscaler IP list is whitelisted in your NSG.
  • Connection timeouts? Verify that the Virtual Hub's ExpressRoute or VPN connections are healthy.
  • Missing routes? Refresh the route table with az network vhub route-table update after any IP changes.

FAQ

Do I need a dedicated Zscaler subscription for each Azure region?
No. A single Zscaler tenant can serve multiple Azure regions; just ensure the proper IP ranges are allowed.
Can I use Azure Firewall together with Zscaler?
Yes. Place Azure Firewall before the Virtual Hub to apply additional layer‑7 policies.
Is traffic encrypted between Azure and Zscaler?
Traffic traverses Azure's backbone and Zscaler's global network using TLS; you can enable IPsec tunnels for additional encryption.