network_stuff:zscaler

Allows the same kind of segmentation we can get in an EC2 instance (security groups, ACL and so on) but in end user stations.
Zscaler has their own cloud. they offer there: authentication, firewall (inspection) and metrics

Agents

Requires Zscaler agent running on the computers client connector
app connectors (for applications) External_Link

Cloud

Zscaler Internet Access (ZIA) service

When connection from 'on-site', ZIA uses GRE tunnel/s to get to he zscaler location
- The tunnel 'bundles' all on-site users inside the same tunnel. That optimizes the routing to the zscaler cloud.
That tunnel is limited to 1G and to 1k users. More users require more locations with more tunnels.
- Limitations:
  - (1G/250Mb per GRE tunnel (outbound)). If more throughput, we need more tunnels (and more public IPs). Link

Zscaler Private Access (ZPA)

To access your organization's internal resources from any location. External Link
ZPA uses TLS tunnels to meet-in-the middle: remote user »» ZS BROKER «« connectors(target infra)
Makes use of the connectors
- In admin.private.zscaler.com > Config & control > Private infrastructure > App Connectors

Topics

PAC files

https://help.zscaler.com/zia/understanding-pac-file
Example of use: “create a wildcard that redirects all traffic of *.data.cloud.mycompany.mygroup.com (an example) towards the internal DNS from the perspective of PAC file?