AWS Partner Network (APN) Blog

How Zscaler and AWS Wavelength Enable Secure Edge Computing with Zero Trust

By Nathan Howe, Vice President Emerging Technologies – 5G, Zscaler
By Henning Els, Sr. Solutions Architect, AWS


Super low-latency connections for the mobile carrier network are becoming increasingly important as we move to an ever-connected mobile world.

5G connectivity is built from the ground up striving for the most effective and lowest latency communication.

One example of an edge workload requiring low latency communication is augmented reality (AR); defining the correct location and access controls can ultimately decide the success and security of your solution. The effectiveness of the platform requires localizing the connection path from user to workload.

Deploying AR workloads as an open service to a carrier network exposes the service to untrusted users, potential attack, misuse, and interruption that is jointly connected to the carrier network.

In this post, we show you how to protect your network using AWS Wavelength for effective carrier connectivity and Zscaler Private Access (ZPA) for Zero Trust security.

Zscaler is an AWS ISV Partner with the Security Competency whose cloud services create fast, secure connections between users and applications, regardless of device, location, or network.

AWS Wavelength

AWS Wavelength is an Amazon Web Services (AWS) infrastructure offering optimized for mobile edge computing applications.

Wavelength allows enterprises to run workloads directly on dedicated multi-access edge locations within telco networks. This means solutions such as AR workloads can be consumed locally “on the edge” and directly in the carrier network, without having to egress traffic to an AWS region.

This enables solutions that are latency sensitive—such as the aforementioned AR workload but also things like driving and real-time artificial intelligence (AI) processes—to be captured by mobile devices, processed, enhanced, and shared with the user equipment in effective response times.

The diagram in Figure 1 demonstrates a deployment using a Wavelength zone, located in a service provider network, and hosting two workloads. This offers close-to-edge compute and storage resources, minimizing latency between the mobile device and workload.

What’s important to note here is the workloads are accessed through carrier gateway and not via an internet gateway (IGW) you’d find in a typical AWS deployment. The carrier gateway enables direct access between your workload and devices connected to the 5G network.


Figure 1 – Workloads with carrier IPs exposed to anyone on the carrier network.

Protecting Access to the Edge

Zscaler provides a Zero Trust security overlay solution that ensures only authorized users can see and access your workloads.

Customers deploy Zscaler to ensure seamless and secure access to workloads, regardless of the location or network where the application exists. Unauthorized access is unable to know the workload even exists, let alone connect.

This is Zero Trust with Zscaler Private Access (ZPA), the first Zero Trust architecture built on AWS that supports both cloud and hybrid infrastructure control and deployment.

The Zscaler Zero Trust Exchange solution protects your workloads running on AWS Wavelength by providing user-granular, Zero Trust access directly to the devices connected to the mobile network.


Figure 2 – Secure access to workloads with Zscaler Private Access.

Zscaler Private Access delivers a secure application access path from your users to AWS Wavelength workloads, at the same time concealing these workloads from anyone else. This is achieved through software services and not virtualized appliances.

The three main software components of Zscaler Private Access are:

Client Initiator (Zscaler Client Connector)

This is the client that requests access to a workload. Zscaler Client Connector provides a per-application, per-session, secure access path from the client. Users, if authorized and entitled, are connected to the recipient side of the connection.

Operator (Zscaler Service Edge)

This is the policy enforcement and control. It’s where user requests are brokered and connected to applications using dynamic, application-specific, TLS-based end-to-end encryption. The Zscaler Service Edge is also the point in which the decision on how to steer traffic from client to the necessary application is made.

App Connector (Zscaler App Connector)

The App Connector provides an outbound path for applications without exposing any part of your workloads, Amazon Elastic Compute Cloud (Amazon EC2) instances, or virtual private clouds (VPCs), ensuring your applications remain dark and unseen to unauthorized entities.

Zscaler provides seamless extension of these Zero Trust controls within your Wavelength zones through the deployment of the ZPA Private Service Edge (PSE). This is a local software service of the Zscaler cloud control layer, bringing Zero Trust control to your workload locations. Within a Wavelength zone, this ensures your traffic is not only secure but that it never escapes the local carrier environment.

Leveraging ZPA as the secure transport for AR workloads allows for direct, low-latency connection. ZPA overlays security, access, and path controls on top of the network, allowing workload isolation. It also limits access only to authorized users, thus removing the risk of exposure of your Wavelength workloads to the entire mobile carrier network.

Transparent, Zero Trust Access to Wavelength Applications

Zscaler Private Access enforces secure access using twin outbound secure tunnels—one each from the client (Client Connector) and the workload (App Connector). More information on traffic forwarding methods can be found on the Zscaler help site.

Each tunnel pair is unique, per application, and connects the user directly to the application in question. This removes the need for exposing AR workloads to the carrier network.

In addition, as each application connection follows its own unique path, ZPA can steer multiple sessions in parallel. This could be within the same Wavelength zone, across VPCs, or even externally to the internet.


Figure 3 – Secure, protected, Zero Trust access to Wavelength-hosted workloads.

ZPA’s cloud and local-based architecture delivers secure access for users to applications in multiple instances, VPCs across AWS Availability Zones (AZs), and geographic boundaries.

As ZPA connects applications to users, the network context is abstracted for the user. Thus, user traffic never needs to pass across VPC peering; instead, users are connected to the best direct path for application access.

The ZPA PSE is deployed so that enforcement of Zero Trust control is uniform across any location where the enterprise has users or workloads. Deploying PSE within a Wavelength zone allows for mobile connected users to connect directly to Wavelength-hosted workloads applying Zscaler Zero Trust controls at the edge.

The Zero Trust outcome allows only authorized users on the 5G mobile network to have local access to workloads in a secure method. Learn more about Zscaler authentication policies.

The AWS Wavelength deployment ensures optimal communication, allowing latency-sensitive workloads to be run close the 5G network edge.

Benefits of Zero Trust in the 5G World with Zscaler

Overlaying the security and protection controls for workload access ensures that network connections are simply transports for both carrier and other networks. The overlay ensures non-authorized access is blocked, which delivers protection to your workloads, but also provides the advantage of ensuring granular control of who should get access.

Deploying the ZPA solution within Wavelength zones allows for telco connected users to leverage the low latency path to their workloads and ensure that only the correct and authorized user can connect.

All other users of that telco will have zero visibility, nor will they have access to the applications that are hosted using the ZPA platform.


AWS Wavelength delivers a powerful step for enterprises to move applications close to their mobile user base, bringing low latency and speedy access to workloads within the 5G mobile network.

Zscaler Private Access (ZPA) ensures your Wavelength-hosted workloads are protected from unauthorized users, access attempts, and other mobile-network-connected threats. Zscaler delivers this protection through ensuring Zero Trust access through direct application paths for each application access, and only for authorized users.

Delivering least-privilege, Zero Trust access for users to their low latency, Wavelength-hosted workloads enables exciting new use cases such as enhanced retail experiences, smart factories, connected vehicles, and beyond.

Zscaler and AWS Wavelength provide the necessary tools and infrastructure to modernize and protect your connectivity for mobile connected users.

Learn more about Zero Trust at the edge, Zscaler Editions, and how Zscaler collaborates with AWS to protect workloads.


Zscaler – AWS Partner Spotlight

Zscaler is an AWS Security Competency Partner whose cloud services create fast, secure connections between users and applications, regardless of device, location, or network.

Contact Zscaler | Partner Overview | AWS Marketplace

*Already worked with Zsclaer? Rate the Partner

*To review an AWS Partner, you must be a customer that has worked with them directly on a project.