Products > ZPA for AWS

Faster, simpler and more secure
remote access to apps in AWS

Zscaler Private Access for AWS

The challenge of incumbent remote access solutions

Why does remote access to AWS still rely on the data center?

When legacy remote access solutions were created, security meant a secure perimeter around the network, and networking relied on the hub and spoke model. This has since changed. Now, almost 60% of enterprises run applications in AWS. Apps that once resided in the data center are now being migrated to the AWS cloud. Yet, most remote access is still reliant on routing traffic through a gateway hosted within data center first. Enterprises still rely on the remote access VPN to provide remote access to internal applications running with AWS.

Legacy remote access diminishes the value of cloud and mobility
  • Breaks the cloud user experience
  • Increased complexity for admins
  • High costs to purchase and manage appliances
  • Increased risk with users on network
  • Inability to control access to specific apps hosted in AWS
  • Lack of visibility into internal applications running in AWS
Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.

Zscaler Private Access for AWS

Secure, direct-to-cloud remote access to apps in AWS

Zscaler Private Access (ZPA) for AWS is a cloud service from Zscaler that provides seamless and secure remote access to internal applications running in AWS. The service delivers a seamless, cloud-like user experience, taking remote employees directly to the app in AWS vs. extending the network to them. Since the service is completely cloud based there are no gateway appliances necessary, which reduces both cost and complexity. Admins have full visibility into the applications running in AWS or their data center, and can control who has access to them. Customizable policies hosted in the global Zscaler cloud give admins the ability to determine which remote users have access to which specific applications.

Read the Solution Brief
Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.
See Our Solution View the Challenge

Zscaler Private Access for AWS benefits

Transform with Zscaler.

Better remote user experience

Users have fast, direct-to-cloud access without having to login to remote access VPN client each time.

Secure remote access, without network access

Policy based access, with no access to network. Visibility into apps being accessed by users and ability to discover unsanctioned apps running within AWS.

No hardware appliances, lower costs

The cloud service requires no hardware. Enterprises can easily scale across multiple AWS and Zscaler data centers with no need to replicate gateways.

Less complexity for admins

Network admins can segment based on application from within the web UI. No need to segment by network. No IP address segmentation or access control lists required.

Traffic remains private via internet network

Service uses dynamic, application specific TLS-based end to end encryption. All data remains private and enterprises can bring their own PKI.

Scale elastically, reduce latency

The service uses the global AWS network to ramp up new users and route them to the app location nearest to them via internet-based networking.

Software-defined perimeter for secure remote access to AWS

The Zscaler Private Access (ZPA) service provides seamless and secure remote access to internal applications in AWS, and without placing users on the corporate network. The cloud service requires no complex remote access VPN gateway appliances, and uses cloud-hosted policies to authenticate access and route traffic to the application located nearest the user. A true software-defined solution that can work in conjunction with AWS ExpressRoute, which directly connects their data centers to AWS data centers.

1.  Cloud Policy Engine
  • Hosted in cloud
  • Used for authentication
  • Customizable by admins
2.  Z-App
  • Mobile client installed on devices
  • Requests access to an app
3.  Z-Connector
  • Sits in front of app in AWS
  • Listens for access requests to apps
  • No inbound connections
4.  Z-Broker  
  • Brokers a secure connection between a
    Z-App and a Z-Connector

Discover applications running within AWS

Zscaler Private Access uses its Z-Connectors, which sit in front of applications to identify user traffic flowing to all applications nearby. This enables admins to both identify previously undiscovered applications being used within AWS, and then apply granular policy-based access controls. This reduces Shadow IT and helps to ensure that admins remains in control of their environment.

Control which users access which applications in AWS

Zscaler Private Access provides application segmentation. This allows security admins to set policies for specific user groups and applications, as well as any associated subdomains. Network admins do not have to segment by network.

1.  Create and define policy names
2.  Set different permissions levels for users and user groups
3.  Define the applications each policy is associated with
4.  Easily add new rules and policies for users and applications within the UI

Suggested Resources

Solution Brief


Read the Solution Brief 

Customer Story

See how MAN Diesel & Turbo SE uses ZPA to provide zero-trust access to internal apps, at global scale

Read the Case Study 


Secure remote access for the digital enterprise

Get the eBook