AWS Partner Network (APN) Blog

How to Securely Access Amazon Virtual Private Clouds Using Zscaler Private Access

Zscaler Logo-3
Zscaler APN Badge-2
Connect with Zscaler-1
Rate Zscaler-1

By Nathan Howe, Solution Architect at Zscaler
By Rupert Morris, Solution Architect at AWS

When you are enabling external access to an Amazon Elastic Compute Cloud (Amazon EC2) instance or Amazon Virtual Private Cloud (VPC), there’s a need to expose some sort of inbound path from the users to the application, usually over the internet.

It could be, for instance, a directly exposed application port, such as Secure Shell (SSH), or a remote access gateway. This facilitates functionality for your workloads, but it also increments risk.

Exposing your Amazon EC2 instance, VPC, or even your on-premises equipment to external connectivity means, by nature of Transmission Control Protocol/Internet Protocol (TCP/IP), that you need to publicly enable access and routes to your Domain Name System (DNS) and/or the IP address of your components.

This visibility allows for the possibility of unwarranted probing or attempts to connect to your workloads and services, thus increasing the attack surface for those with malicious intent.

To counter this threat, a new framework for access was proposed in 2010 by John Kindervag, who was at the time a principal analyst at Forrester Research. He suggested in his report, called No More Chewy Centers: The Zero Trust Model of Information Security, that no one should be able to see, let alone access, any application without first validating who they are and what device they’re using.

Kindervag wrote that stipulating the forced validation of these factors before access is granted means the security model changes, as no part of the communication path is trusted; applications within an Amazon EC2 instance or VPC are not exposed until the point in which validation of the user (and device) can be confirmed.

Only at this point can access be granted. This is referred to as a Zero Trust architecture, where no part of the infrastructure or communication path can be trusted until access is authorized.

Zscaler, an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency, has been working with customers such as the manufacturing company MAN Energy Systems, to redefine secure access to applications either on-premises or as they move to Amazon Web Services (AWS).

In this post, we’ll discuss how you can implement a Zero Trust approach for access to workloads and services hosted on AWS with the aid of Zscaler Private Access (ZPA). You can subscribe to ZPA from AWS Marketplace.

What is Zscaler Private Access?

Zscaler Private Access is a cloud service that provides Zero Trust access to applications running on the AWS Cloud, or within on-premises data centers. With ZPA, your applications are never exposed to untrusted parties or the internet, making them completely invisible to unauthorized users.

ZPA, with its Zero Trust architecture, enables applications to connect only to authorized users via inside-out connectivity versus extending the network to them. Users are never placed on the network; thus, they cannot see what they aren’t specifically authorized to see. Rather, ZPA provides a logical, software-defined perimeter that validates the user, device, and access context before allowing access. This works across IT environments, on any device, and any internal application.

Transparent, Zero Trust Access to Applications

With the ZPA cloud-based service, organizations can create a secure connection between a named user and named application, instead of connecting users to networks. ZPA enforces secure access using twin outbound Transport Layer Security (TLS) tunnels. By abstracting the network and making sure security is enforced at the application layer, ZPA ensures your environment cannot be scanned or discovered by external entities, and unwanted traffic is not able to propagate across your environment.

Once ZPA is enabled within your VPC, you remove all rules from your inbound security group policy, as inbound internet connectivity will no longer be needed. With ZPA, access is delivered through outbound connectivity from your applications to your users through the Zscaler cloud. This takes place only after authentication, where both the user and device contexts are assessed, and authorization is verified based on the policy that you have built. This ensures your level of trust must be met before access is granted.

User and device authentication are handled by the customer’s choice of Security Assertion Markup Language (SAML)-compliant Single Sign-On (SSO) solution. Once the trust relationship has been established, ZPA will begin connecting applications to users using the aforementioned TLS tunnels.

ZPA’s cloud-based architecture allows you to enable secure access for users to applications in multiple instances, VPCs across Availability Zones (AZs), and geographic boundaries. As ZPA connects applications to users, the network context is abstracted for the user and, thus, traffic never needs to pass across VPC peering. Instead, users are connected to the best direct path for application access.

Each instance of application access will pass through individual, dynamic, session-based tunnels. As a result, users are not tied to one location as they are with static virtual private network (VPN) tunnels. This means users no longer need to consider “connecting a VPN to London because I just arrived in London,” or any other location, based on IT policy.

ZPA enforces access regardless of the application location, meaning a user can be connected to multiple apps, across multiple locations, without any impact to the user or requiring user interaction with a network or connectivity client.

How ZPA Delivers Secure Access to Applications

ZPA is a software-as-a-service (SaaS) platform, entirely cloud-based, with centralized policies that are enforced globally at the most convenient location for the user.

Zscaler Workloads-1

Figure 1 – ZPA works by brokering a connection between an authenticated user and an application. 

Users connect transparently, and access with ZPA is as simple as accessing a publicly-available application, like Users are always connected transparently and via the most effective path, so they can simply work and access applications without ever having to go through the tedious effort of first connecting to a VPN.

There are three pieces to the ZPA pie:

The Initiator (Zscaler App)

The part of the solution that requests access to something; in this case, the end users and their devices. There’s a need to access an application on the recipient side, and this is where Zscaler App (Z App) enables transparent access without requiring the user to consider a VPN or secure access path. Users, if entitled, are automatically connected.

The Operator (Z Broker)

The policy definition and enforcement stage. This is where user requests are brokered and connected to applications using dynamic, application-specific, TLS-based end-to-end encryption. All data remains private and enterprises can bring their own public key infrastructure (PKI) certificates.

Once the user is validated to have access to the application, Z Broker enables access to the application; no access to the network is given to the user. Thus, ZPA gives visibility and control into the specific apps being accessed by specific users. This information can then be streamed automatically as logs to your SIEM (Security Information and Event Management). Discovery of apps being accessed by users allows admins to identify unknown apps and apply granular controls and automated responses to events.

The Recipient (App Connector)

The App Connector provides the outbound path for applications without exposing any part of your Amazon EC2 instances or VPCs, ensuring your applications remain dark, unseen on the public internet. This provides the protected application aspect of a Zero Trust model; no one can see anything without validation.

There is no reliance on the user knowing where the application is located. Applications can exist on VPCs within AWS, on-site in your physical data center, or in another location. As opposed to using a VPN, users never have to consider where they connect; rather, this is handled by ZPA.

Migrating workloads to AWS is also simplified, as ZPA addresses common networking and security objectives, such as overlapping IP space or user access connectivity, that arise during cloud migration projects.

Key Features Enabled by Zscaler Private Access

ZPA simplifies the way you manage access to your applications using four key tenets:

  • Users are never on the network: They are never given access to the corporate network. Access is application-specific, with no need to define policy by IP address or access control lists (ACLs).
  • Apps are never exposed to the internet: Internal IP addresses are never exposed and internal applications are on a corporate “dark-net,” completely invisible to users, unless users are authorized to access them.
  • The internet is the new corporate network: ZPA leverages the internet for dynamic, app-specific, TLS-based, end-to-end encryption. All data remains private and ZPA customers can use their own PKIs.
  • Application segmentation, not network segmentation: There is no user-to-network access. Users have direct access only to specific applications, and each application session has its own micro-tunnel, essentially creating a segment of one between a user and an app.

ZPA’s cloud-based security approach enables enterprises to determine who has access to which internal applications, even as they migrate from the data center to AWS.

Zscaler Workloads-2.1

Figure 2 – Overview of how ZPA provides users access to applications, regardless of location.

Get Started Using ZPA with Applications on AWS

In Figure 2 above, you can see how users are given a secure connection to Amazon EC2 or on-premises workloads via the Z Broker/ZPA ZEN (Zscaler Enforcement Nodes) cloud network. The best route between users and workloads is dynamically identified and managed by the Zscaler cloud.

Zscaler ZPA ZENs are located in AWS Regions, as well as the Zscaler private cloud. Zscaler ZENs are a fully-managed service (part of the Zscaler cloud) and connect to the ZPA connectors for your AWS workloads.

The ZPA Connectors are deployed in a private subnet of a VPC on Amazon EC2 instances, which allows for user interaction with your AWS workloads. The ZPA Connectors still require a route via a public subnet (with a NAT Gateway) to the Zscaler cloud, allowing ZPA to simplify the way in which you manage access to your applications.

Here are a few steps you can take to protect your VPC with ZPA. Note that the following steps require you already have ZPA configured with Zscaler. For more information, please request a demo from a Zscaler representative.

  1. Configure and install the Zscaler Private Access Connector Amazon Machine Image (AMI). When you choose AWS, the ZPA admin user interface (UI) will walk you through how to obtain the community AMI.
  2. Ensure you have selected an appropriate location in your VPC for the Zscaler instance on AWS (App Connector). Pick a location as close as possible to your applications, but with the correct security group policy.
  3. Protect your VPC with the following AWS security group configuration:
    • Allow the App Connector to connect to your applications on all needed ports
    • Allow the App Connector to talk back to the Zscaler cloud on port TCP443
    • Block all inbound access from the internet to your VPC
  4. Use the Zscaler App on your client device(s) and start accessing your apps securely.

Try Zscaler Private Access for Free

Zscaler Private Access is available for trial through an interactive demonstration. ZPA Interactive allows you to explore ZPA access to applications in Amazon VPCs, hosted data center solutions, and other cloud locations.

ZPA Interactive lets you experience how simple and secure your AWS instances will be to access. Sign up for your free ZPA experience.

To learn more about Zscaler Private Access for AWS, visit or check out AWS Marketplace.


Zscaler Logo-2
Connect with Zscaler-1

Zscaler – APN Partner Spotlight

Zscaler is an AWS Security Competency Partner. They enable organizations to securely transform their networks and applications for a mobile and cloud-first world.

Contact Zscaler | Solution Overview | Customer Success | Free Trial | Buy on Marketplace

*Already worked with Zscaler? Rate this Partner

*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.