Products > ZPA for AWS

Your Apps Moved to AWS,
So Why are Your Users Still on the Network?

Time for a better approach to secure remote access.

To gain fast, secure access to Zscaler Private Access for AWS, talk to Zscaler

Yes, please keep me updated on Zscaler news, events, webcast and special offers.

By submitting the form, you are agreeing to our privacy policy.

Network-centric security makes moving to AWS painful

Today, 60 percent of enterprises are running apps in AWS to increase scalability and speed. This move has extended the perimeter to the internet. Yet, many enterprises still rely on remote access VPNs, which are network-centric and not built to secure access to the internet. They also place users on the network and require physical or virtual appliances, which increases complexity and limits scalability.

Common pitfalls of network-centric approaches:
  • Places users on the network to provide access to AWS
  • Requires appliances, ACLs and FW policies
  • Provides a poor end-user experience
  • Inbound connections create opportunity for DDoS attacks
  • Lacks the ability to provide true application segmentation
diagram of remote user Internet-bound traffic routed through a data center security stack before it heads to the aws cloud and returns
flowchart of ZPA redefining how internal applications can be accessed and enable enterprises to receive the full benefits of the AWS cloud

Zscaler Private Access for AWS

Enabling user and application-centric security for AWS

Zscaler Private Access (ZPA) for AWS is a cloud service from Zscaler that provides zero-trust, secure remote access to internal applications running on AWS. With ZPA, applications are never exposed to the internet, making them completely invisible to unauthorized users. The service enables the applications to connect to users via inside-out connectivity versus extending the network to them. Users are never placed on the network. It provides a software-defined perimeter for AWS, that supports any device and any internal  application.

Zscaler Private Access for AWS benefits

Transform with Zscaler.

Zscaler Check Cloud Blue

Better remote user experience

Users have fast, direct-to-cloud access without having to login to remote access VPN client each time.

Zscaler Check Cloud Blue

Secure remote access without network access

Policy-based access, with no access to network. Visibility into apps being accessed by users and ability to discover unsanctioned apps running within AWS.

Zscaler Check Cloud Blue

No hardware appliances, lower costs

The cloud service requires no hardware. Enterprises can easily scale across multiple AWS and Zscaler data centers with no need to replicate gateways.

Zscaler Check Cloud Blue

Less complexity for admins

Network admins can segment based on application from within the web UI. No need to segment by network. No IP address segmentation or access control lists required.

Zscaler Check Cloud Blue

Traffic remains private via internet network

Service uses dynamic, application-specific, TLS-based end-to-end encryption. All data remains private and enterprises can bring their own PKI.

Zscaler Check Cloud Blue

Scale elastically, reduce latency

The service uses the global AWS network to ramp up new users and route them to the app location nearest to them via internet-based networking.

Simplify secure remote access to internal apps on AWS

AWS Native Security Groups are a good start, but they are often times manual intensive. Zscaler Private Access takes a user and application-centric approach to network security. It ensures that only authorized users and devices have access to specific internal applications on AWS. Rather than relying on physical or virtual appliances that are IP centric, ZPA uses lightweight infrastructure agnostic software to connect both users and applications to the Zscaler Security Cloud, where the brokered connection is stitched together. ZPA is complementary to AWS Native Security Groups, as well as AWS DirectConnect.

flowchart showing zpa uses lightweight infrastructure to connect both users and apps on aws to the zscaler security cloud

1.  ZPA Public Service Edge

  • Hosted in cloud
  • Used for authentication
  • Customizable by admins
  • Brokers a secure connection between a Client Connector and App Connector

2.  Zscaler Client Connector

  • Mobile client installed on devices
  • Requests access to an app

3.  App Connector

  • Sits in front of apps in the data center, Azure, AWS, and other public cloud services
  • Provides inside-out TLS 1.2 connections to broker
  • Makes apps invisible to prevent DDoS attacks

Discover shadow IT applications on AWS

Many enterprise teams are unaware of the sheer number of applications in their environment. ZPA identifies previously undiscovered internal applications running in the data center or on AWS infrastructure. Once identified, admins can set granular policies for each application, ensuring the environment remains secure and controlled. This, combined with ZPA’s ability to make known applications invisible to unauthorized users, reduces the attack surface dramatically.

dashboard capture showing zpa identifies previously undiscovered internal apps running on AWS infrastructure

Choose application segmentation, not network segmentation

In the past, admins needed to segment networks to ensure secure user connections. Today, enterprises use ZPA to control which users access which applications. Admins can easily set granular policies at the application level for specific users, users groups, applications, application groups and associated subdomains.

in a dashboard capture, enterprises use ZPA to set granular policies at the apps level for specific users or user groups
1. Create and define policy names.
2. Set different permission levels for users and user groups.
3. Define the applications each policy is associated with.
4. Easily add new rules and policies for users and applications within the UI.

Suggested resources


Migrate to AWS Simply and Securely with Zscaler


How to Securely Access AWS VPCs using ZPA


GROWMARK Leverages Zscaler and AWS To Help Keep North American Food Production Secure


AWS and Zscaler for fast, secure access to the AWS cloud


Jefferson Health Migrates to a Cloud-First Model with Zscaler Workload Posture


Amazon WorkSpaces + Zscaler: Secure Access to Any Destination

Deployment guides


Traffic Forwarding/WorkSpace Deployment Guide


AWS S3 Deployment Guide