Eliminate the B2B Connectivity Risk: A Practical Guide to Zero Trust

How much would you trust your partner or supplier organization’s security?

Every site-to-site VPN connection you establish is an answer to that question.

For decades, the default has been network-to-network trust, using firewalls and tunnels that flatten your network and expand the blast radius of any incident. With this architecture, you are implicitly trusting your partner’s patching cadence, firewall rules, and overall security posture.

But where you see a business partnership, a sophisticated adversary sees an attack superhighway leading directly into your network. This outdated model is complex, costly, and creates an unacceptable level of risk.

It’s time to transform business partner connectivity and adopt a new model based on zero trust.

Problem #1: Unacceptable Security Risk 

Site-to-site VPNs were built for a different era—one of trusted networks and defined perimeters. Their primary goal was to establish reliable connectivity, not to enforce granular secure access. This fundamental design flaw creates unacceptable risks in a zero trust world. Trusted connections act as digital superhighways. Once the tunnel is up, the two networks effectively become one, creating a flat, attackable surface. This is where the danger lies.

Expanded Attack Surface

When organizations establish a site-to-site VPN, they are creating network-level trust zones. This means the attack surface is no longer just the organization’s own infrastructure; it now includes the network of every partner you connect to. An attacker who compromises a partner device can use that trusted tunnel as an attack superhighway directly into your environment. They can move laterally, scan for vulnerable internal servers, and seek out high-value targets like databases and domain controllers.

Exposed To The Weakest Security Link

Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.  – NIST IR 8276

The trust-based model forces organizations to make a dangerous assumption: that your partner’s security posture is as robust as your own. You are implicitly trusting their firewall rules, their patching cadence, their overall security posture. If they have a compromised credential or a single unpatched server, their vulnerability instantly becomes your emergency. Your organization’s security is now only as strong as your least secure partner.

This isn't just theoretical. State-sponsored adversaries like Volt Typhoon have made this their signature tactic. They breach organizations not through the front door, but by compromising a less-secure partner and riding their trusted connection straight into the heart of the network. The 'weakest link' is no longer just a risk; it's an actively exploited reality.

Problem #2: The Operational Nightmare

Traditional network-based solutions necessitate manual configuration and management of multiple IPsec tunnels for each business partner, leading to significant complexity in managing virtual routing and forwarding (VRF) aware DNS settings. Custom DNS configurations are required for each partner's application, and VRF must be accurately set up to prevent IP address overlaps. This results in a heavy operational burden, with each partner needing an isolated routing and DNS framework. Consequently, scaling and maintaining the infrastructure becomes resource-intensive, hindering agility and operational efficiency.

Extending VPNs to business partners’ networks demands significant effort in scaling and maintenance, including redundant tunnels, manual configuration of failover, and constant monitoring to ensure uptime. As more partners are onboarded, management of these tunnels becomes increasingly complex. Ensuring high availability in such an environment requires extensive planning, increased operational overhead, and a heavy reliance on redundant infrastructure, which can be costly and difficult to manage effectively.

For the networking and security teams, the problems multiply:

• Zero Visibility: Lose sight of who is accessing what with fragmented logging and weak session attribution.
• Operational Burden: Drown the teams in IP address management, brittle firewall rules, and endless hardware scaling.
• M&A Paralysis: For mergers and acquisitions, the pain is acute. Weeks or even months are lost establishing these risky links and solving for overlapping IP address spaces. Simply put, legacy connectivity kills business agility.

The Zero Trust Alternative: ZPA B2B Extranet Connectivity

There is a better way. Zscaler introduced Extranet Application Support to solve this problem by bringing foundational zero trust principles to partner connectivity. Instead of connecting networks, we connect authorized entities directly and only to the applications they need. Every single session is authorized, inspected, and logged before any traffic moves.

The initial release of this feature was a game-changer, allowing customers to give their users secure access to applications hosted in partner environments without requiring risky site-to-site VPNs.

Now, with bi-directional extranet support, the model extends both ways:

• Customers can reach partner workloads securely.
• Partners can reach customer workloads securely.

All this is achieved without ever exposing networks, managing complex firewall rules, or trading in dangerous implicit trust.

Bi-directional extranet support with Zscaler Private Access gives IT and security teams what they need most:

• Visibility: Every transaction is logged, and every flow is inspectable in a single console.
• Control: Every session is tied to a granular, identity-based policy.
• Agility: Onboard a new partner in hours or days, not weeks or months.
• Resiliency: Tunnels terminate in the global Zscaler cloud, which provides built-in redundancy and scale.

Use Case 1: An Organization Accessing Partner Applications

Organizations often need their own employees or internal workloads to access applications hosted and managed by a partner. With ZPA Extranet Connectivity, this is simple and secure.

• Employees use the Zscaler Client Connector (ZCC) or browser-based access to reach partner apps, with identity, device posture, and policy determining what’s allowed.
• OT and device management teams can use privileged remote access workflows to manage partner-hosted infrastructure without opening risky network tunnels.
• Workloads (in branches, clouds, or data centers) can make API calls to partner services directly without any network peering.

Examples in Action:

• Healthcare: A hospital’s clinicians securely access lab reporting portals hosted by external diagnostic vendors, with no direct network connection between the two organizations.
• IT Services: Outsourcing teams connect to client-hosted build systems or test environments without needing to manage cumbersome VPN clients or be placed on the client's network.

Use Case 2: Partners Accessing Organization’s Applications

Just as importantly, business partners need to reach applications inside your environment. Traditionally, this meant granting them a hole in the firewall—a dangerous assumption of trust. With ZPA Extranet Connectivity, you are in complete control.

• Least-Privilege Access: Partners can only access the specific applications you publish to them—and nothing else on your network.
• Always-On Inspection: All inbound traffic to DC applications can be fully inspected using ZIA’s SWG capabilities.
• No Network Exposure: You never expose your internal DNS or IP addresses. Zscaler provides a DNS Forwarder, completely hiding the real IP and location of the application.
• Unified Logging: Every transaction is centrally logged, eliminating the blind spots inherent in traditional extranets. Each new partner connection is simply an additional policy rule, not a new IPsec tunnel to build and manage.

Examples in Action:

• Manufacturing: Logistics providers are granted secure access to update order management systems hosted in the manufacturer’s data center, without any visibility into other corporate resources.
• Retail: Payment processors and franchise systems connect to HQ-hosted financial apps without being placed on the corporate network.

In Conclusion: A New Era for Business Partner Connectivity

Site-to-site VPNs flatten networks and create implicit trust. ZPA Extranet Application Support enforces strict, application-only access. By extending zero trust to partner connectivity—in both directions—Zscaler delivers the agility your business needs without sacrificing the security it demands.Whether you’re navigating an M&A, scaling supply chain integrations, or modernizing all your B2B connectivity, now is the time to leave legacy VPNs and their inherent risks behind.

Take the self-guided product tour to experience firsthand how you can easily deploy ZPA and set-up extranet connectivity to your business partners.

Ready to chat? Sign up now and our product experts will connect with you to discuss how ZPA Extranet Connectivity can transform your organization’s business partner connectivity!