Products > ZPA for Azure

Your Apps Moved to Azure,
But How are You Securing Access to Them?

Time for a better approach to secure remote access

Network-centric security makes moving to Azure painful

Today, 40 percent of enterprises are running apps in Azure to increase scalability and speed. This move has extended the perimeter to the internet. Yet, many enterprises still rely on remote access VPNs, which are network-centric, and not built to secure access to the internet. They also place users on the network, and require physical or virtual appliances that increase complexity and limit scalability.

Common pitfalls of network-centric approaches:
  • Places users on-net to provide access to Azure
  • Requires appliances, ACLs and FW policies
  • Provides a poor end-user experience
  • Creates opportunities for DDoS attacks
  • Lacks the ability to provide true application segmentation
  • Lacks visibility into app-related activity
diagram showing Internet-bound traffic from remote users takes a slow, circuitous path as it’s routed through the data center security stack before it can head out to the cloud or open internet, then  goes back through the stack on its return trip.
Direct-to-cloud access with Zscaler Private Access for Azure

Zscaler Private Access for Azure

Enabling user- and application-centric security for Azure

Zscaler Private Access (ZPA) for Azure is a cloud service from Zscaler that provides zero-trust, secure remote access to internal applications running on Azure. With ZPA, applications are never exposed to the internet, making them completely invisible to unauthorized users. The service enables the applications to connect to users via inside-out connectivity versus extending the network to them. Users are never placed on the network. It provides a software-defined perimeter for Azure, that supports any device and any internal application.

Zscaler Private Access for Azure benefits

Transform with Zscaler.

Better remote user experience

Users have fast, direct-to-cloud access without having to login to remote access VPN client each time.

Less complexity for admins

Network admins can segment based on application from within the web UI. No need to segment by network. No IP address segmentation or access control lists required.

Secure remote access, w/o network access

Policy-based access, with no access to network. Visibility into apps being accessed by users and ability to discover unsanctioned apps running within Azure.

Traffic remains private via internet network

Service uses dynamic, application-specific TLS-based end-to-end encryption. All data remains private and enterprises can bring their own PKI.

No hardware appliances, lower costs

The cloud service requires no hardware. Enterprises can easily scale across multiple Azure and Zscaler data centers with no need to replicate gateways.

Scale elastically, reduce latency

The service uses the global Azure network to ramp up new users and route them to the app location nearest to them via internet-based networking.

Simplify secure remote access to internal apps on Azure

Zscaler Private Access takes a user- and application-centric approach to network security. It ensures that only authorized users and devices have access to specific internal applications on Azure. Rather than relying on physical or virtual appliances, ZPA uses lightweight infrastructure-agnostic software to connect users and applications to the Zscaler Security Cloud, where the brokered connection is stitched together. ZPA is complementary to Azure ExpressRoute.

a diagram showing zpa uses lightweight infrastructure to connect users and apps on azure to the zscaler security cloud
1.  ZPA Public Service Edge
  • Hosted in cloud
  • Used for authentication
  • Customizable by admins
  • Brokers a secure connection between a Client Connector
    and App Connector
2.  Zscaler Client Connector (formerly Zscaler App/Z App)
  • Mobile client installed on devices
  • Requests access to an app
3.  App Connector
  • Sits in front of apps in the data center, Azure, AWS, and other public cloud services
  • Provides inside-out TLS 1.2 connections to broker
  • Makes apps invisible to prevent DDoS attacks

Leverage the power of the Azure network

With Zscaler Private Access for Azure, a ZPA Public Service Edge, which brokers access between a remote user and an internal application, runs within the Azure cloud. This enables networking admins to leverage the Azure network and its many data center locations to reduce latency by minimizing hops, which boosts user productivity.

a diagram showing ZPA solution delivers a direct-to-cloud experience for all users, taking them quickly and seamlessly to the app that runs within Azure
capture from zpa for azure showing how zpa helps enterprises to manage access to internal apps and also reduces latency

Choose application segmentation, not network segmentation

In the past admins needed to segment networks to ensure secure user connections. Today, enterprises use ZPA to control which users access which applications. Admins can easily set granular policies at the application level for specific users, users groups, applications, application groups and associated subdomains.

diagram showing with ZPA, admins can easily set granular policies at the application level for specific users, users groups, applications, application groups and associated subdomains.
1.  Create and define policy names.
2.  Set different permissions levels for users and user groups.
3.  Define the applications each policy is associated with.
4.  Easily add new rules and policies for users and applications within the UI.

Key integrations accelerate the journey to Azure

We have developed integrations for Azure ecosystems, including integration with Azure AD, which enables admins to use ZPA to set access policies for user groups based on their existing configurations. Additionally, App Connector is available on the Azure Marketplace. App Connector front-ends apps on Azure and sends an inside-out connection to the Zscaler security cloud, where the brokered connection between an authorized user and application takes place.

capture showing azure marketplace enables admins to use ZPA to set access policies for user groups based on their existing configurations
capture showing the z-connectors, which sit in front of apps, also run within Azure, providing inside-out connections to the zens

Suggested Resources

Customer Story

See how MAN Energy Solutions uses ZPA to provide zero trust access to internal apps at global scale


Watch the ZPA for Azure webinar recording

Case Study

Microsoft and Zscaler partner for success

To gain fast, secure access to Zscaler Private Access for Azure, talk to Zscaler