(Scroll down to download the Administrator Guide)


Introduction to Cloud Security Connectors for Zscaler.


The Cloud Security Connector (CSC) is a device that enables easy deployment of the Zscaler Internet Access (ZIA) solution in any customer environment. There are CSC models for Virtual Platforms, such as VMware, Hyper-V, etc., and Public Clouds, such as AWS, Azure, and Gcloud.


The CSC's GRE for AWS lets you connect securely to Zscaler ZIA up to 1 Gbps 1 without hassle.


The CSC for AWS comes with all the required configurations and works with the Zscaler API. After launching the CSC from the AWS Marketplace using the CloudFormation template provided, it will automatically select the best ZEN nodes, create the GRE tunnels, and make the Location on your Zscaler console.


All Zscaler ZIA functionalities are available. Internal IPs are completely visible on the Zscaler console GUI.

Includes Private Cloud Private Access functionality that allows you to create a full mesh among the CSCs communicating your private traffic on a Zero Trust model.


Simple to install with complete management from AWS Systems Manager, Rundeck (or similar, like Ansible, Salt, Etc.) and SSH.






Key benefits of the Cloud Security Connector GRE for AWS


  • No Networking knowledge is required. 
  • Enables any AWS VPC to be connected to Zscaler ZIA up to 3 Gbps.
  • Easy to create and deploy: Automated deployment using CloudFormation template and Zscaler API. 
  • With Private Cloud Private Access (PriCPA) you can connect all sites securely on a Zero Trust model. The CSC secures your Private Traffic between your physical and cloud locations. 
  • The CSC comes with the optimal values to work with Zscaler ZIA.
  • Full tunnel redundancy.
  • High Availability.
  • All traffic forwarding options supported:
    • Route all traffic to Zscaler (or http/s only).
    • Use of PAC files.
    •  Use of Explicit Proxy.
    • No default Route scenarios.
  • Multiple options to Bypass Traffic via dedicated Public IP:
    • Layer 7 Proxy Bypass to Trusted Web Sites.
    • Layer 4 Routed Bypass: TCP, UDP and ICMP per source/destination Network and Port (UDP/TCP)
    • New! Full Proxy mode for devices with Explicit Proxy settings (i.e. Linux hosts), enabling communications to Zscaler (Location IP based), direct domain Bypass (ie. .domain.com) and communication with internal systems.
  • Zscaler Cloud Firewall and Cloud Web Security.
  • Complete visibility of internal IPs on Zscaler Console. 
  • No operational burden for Administrators.
  • Full hardened device.
  • Multiple tools for testing and troubleshooting included: Traffic Logs. TCPDump, Speed Test, MTR (MyTraceRoute), Keepalives statuses, Etc. 
  • Management via SSH, AWS Systems Manager, Rundeck or similar. (Ansible, Salt, Etc.)
  • It runs on a cheap AWS instance: t2, t3a and t3 instances.