Announcing the ability to Bring Your Own Dedicated IP (BYOIP) on the Zscaler Zero Trust Exchange

As organizations accelerate Zero Trust adoption, one consistent request from network architects, CISOs, and compliance teams is the ability to egress the internet using deterministic, dedicated IP addresses tied specifically to their organization. While Zscaler has been providing dedicated IPs to organizations for a very long time, our customers have expressed interest to bring their own IPs to support certain legacy workflows, regulatory environments, and partner systems that still require static, predictable and customer-owned egress IPs.

Zscaler supports both Zscaler-assigned Dedicated IPs and customer-owned Dedicated IPs (Bring Your Own IP aka BYOIP) giving enterprises maximum flexibility while preserving the benefits of a modern Zero Trust architecture.

What is a Dedicated IP address?

A dedicated IP address is a unique IP (Internet Protocol) address that is permanently allocated to a single organization ensuring it is exclusively available for their use. Although not a Zero Trust method due to poor authentication, complexity and vulnerability to compromise, allowlisting access to resources based on source IP address remains a tool in use by legacy SaaS platforms or partner networks. Zscaler offers multiple solutions to address this problem that are covered in this White Paper. 

Why Dedicated IPs Still Matter, Even in a Zero Trust World

Many customers continue to operate systems that rely on fixed public IP identity. Dedicated IPs help address:

1. Deterministic Identity for Downstream Controls

Some SaaS platforms, partner networks, or regulatory gates still depend on allowlisting IP addresses for access control. Dedicated IPs ensure predictable egress identity without impacting Zero Trust posture.

2. Clear Lines of Ownership, Logging, and Auditability

Customer-owned IP ranges create clean attribution boundaries for compliance, logging, and forensics.

3. Operational Stability Across Migrations

Dedicated IPs maintain consistent external identity even as internal architectures modernize or move away from on-prem or hyperscaler environments.

4. Regulatory and Sovereignty Requirements

BYOIP enables organizations to keep ownership of their IP ranges while leveraging Zscaler’s global cloud footprint.

What BYOIP on Zscaler looks like

You bring an IPv4 prefix you own, Zscaler securely validates your authorization to use our ASN to originate it, then Zscaler advertises the route from the designated region and makes the IPs available as Zscaler Managed Dedicated IPs for policy and egress. You can be assigned as many Dedicated IPs as you are entitled to. The validation hinges on two pillars:

• ROA: A cryptographically signed object in your Regional Internet Registry (RIR) that authorizes a specific Autonomous System Number (ASN) to originate your route.
• A customer-signed BYOIP message: A short, signed statement tying your prefix to your organization that Zscaler verifies against public materials you publish in your RIR records.

Supported regions and ASNs

• APAC: AS53813
• Americas: AS22616
• EMEA: AS62044

Prerequisites

• Your prefix is registered with your RIR (ARIN, APNIC, RIPE).
• IPv4 is supported today (minimum size /24 from a single Zscaler DC). IPv6 minimum is /48 for future support planning; check with your Zscaler representative for timelines.
• Create a ROA in your RIR that includes your prefix and the appropriate Zscaler ASN for the region where you want the BYOIP deployed.
• Prepare an x.509 self-signed certificate pair (public and private) to sign your BYOIP validation message.

Security and assurance under the hood

• ROA and RPKI validation: The industry-standard framework ensures route origination integrity. Zscaler’s routing system checks your ROA status before advertisement.
• Cryptographic attestation: Your x.509-backed signed message lets us confirm the request aligns with your RIR-published materials, thwarting spoofing or misrepresentation.
• Regional scoping: By tying ROA to a specific Zscaler ASN per region, you control where your prefixes are surfaced, aligning with data residency or performance requirements.
• Operational safeguards: Zscaler enforces change controls and automated checks before announcements, and monitors propagation and reachability once live.

Technical FAQs

• What happens if the ROA expires? Zscaler monitors ROA validity. If the ROA lapses, announcements may be withdrawn to maintain routing hygiene; plan renewals ahead of time.  It is critical to ensure timely renewal to avoid service disruptionx.
• Can I move a prefix between regions? Yes, but you must update the ROA to authorize the new regional ASN and coordinate via support to ensure seamless transitions.
• IPv6 support? Minimum /48 applies. Check with your Zscaler team for current availability timelines.
• How is logging handled? Traffic egressing via Dedicated IP is visible in Zscaler logs and analytics as usual, with your owned ranges aiding correlation and downstream controls.

Key definitions

• ROA: A cryptographically signed object that specifies which ASN is authorized to originate a given route.
• RIR: Regional Internet Registry (ARIN, RIPE, APNIC) governing allocations of IP addresses and ASNs.
• X.509: A standard for digital certificates used to verify entities in online communications.

Getting started

If you already own eligible prefixes and have RIR access, you can begin today by creating your ROA, publishing your public certificate in your netblock remarks, preparing and signing the BYOIP message, and opening a support ticket. If you prefer white-glove onboarding, contact your Zscaler representative to coordinate the process and timelines.

With customer-owned Dedicated IPs, the Zero Trust Exchange becomes not only the fastest path to secure access, but also the most predictable and compliant way to represent your organization on the internet.