Allows the same kind of segmentation we can get in an EC2 instance (security groups, ACL and so on) but in end user stations.\\
Zscaler has their own cloud. they offer there: authentication, firewall (inspection) and metrics

==== Agents ====
  * Requires Zscaler agent running on the computers ''client connector''
  * ''app connectors'' (for applications) [[https://help.zscaler.com/zpa/about-connectors|External_Link]]

==== Cloud ====
=== Zscaler Internet Access (ZIA) service ===
    * When connection from 'on-site', ZIA uses **GRE tunnel/s** to get to he zscaler location
      * The tunnel 'bundles' all on-site users inside the same tunnel. That optimizes the routing to the zscaler cloud.
    * That tunnel is limited to 1G and to 1k users. More users require more locations with more tunnels.
      * [[https://help.zscaler.com/zia/ranges-limitations|Limitations]]:
        * (1G/250Mb per GRE tunnel (outbound)). If more throughput, we need more tunnels (and more public IPs). [[https://help.zscaler.com/zia/understanding-generic-routing-encapsulation-gre|Link]]
        * 
=== Zscaler Private Access (ZPA) === 
  * To access your organization's internal resources from any location. [[https://youtu.be/kvbKr7MVBlk|External Link]]
  * ZPA uses **TLS tunnels** to meet-in-the middle: remote user >>>> ZS BROKER <<<< connectors(target infra)
  * Makes use of the ''connectors''
    * In admin.private.zscaler.com > Config & control > Private infrastructure > App Connectors



----
=== Topics ===
== PAC files ==
[[https://help.zscaler.com/zia/understanding-pac-file]] \\
Example of use: "create a wildcard that redirects all traffic of *.data.cloud.mycompany.mygroup.com (an example) towards the **internal DNS** from the perspective of PAC file?