icon-unified.svg
Experience Center

About Data Center Exclusion Based on Traffic Forwarding Method

If a Zscaler data center (DC) is having a service-affecting issue, admins can disable all IPSec VPN tunnels terminating at a virtual IP (VIP) address of the affected DC directly from the Admin Portal. With this action, admins trigger a failover from primary to secondary tunnels at the endpoint on their organization’s premises in the event of service disruptions, Zscaler Trust Portal incidents, disasters, etc. Tunnel failover is then performed according to the VPN endpoint device configuration.

This capability is supported by excluding DCs from service based on the traffic forwarding method. In the Admin Portal, an admin selects the DC and the duration (up to 15 days) of the DC exclusion, which can be renewed after it expires or edited as needed. When an admin saves and activates the configured DC exclusion:

  1. The admin’s action of disabling the tunnels is logged in the Audit Logs in the Admin Portal.
  2. A notification from the Zscaler Central Authority (CA) is sent to the DC indicating that the DC is excluded from service to the organization.
  3. Any existing tunnels to the DC are brought down immediately, and no new tunnels to the DC from the organization can be established during the exclusion.
  4. The status of the tunnels and the reason they are down are logged in the Tunnel Insights Logs in the Admin Portal.

The DC is restored for service when the configured exclusion expires, or if an admin takes action before the expiration. When a DC is restored for service, a new notification from the Zscaler CA is sent indicating that the DC is restored for service to the organization. At this point, existing tunnels can re-establish to the DC and new tunnels can be established.

DC exclusion based on the traffic forwarding method provides the following benefits and enables you to:

  • Ensure business continuity and connectivity resilience during service-affecting events.
  • Initiate a failover from primary to secondary tunnels more quickly and easily, without relying on multiple managed service providers.
  • Disable and enable tunnels according to your organization’s evolving requirements, without needing to delete credentials.

About the Traffic Forwarding Method Page

On the Traffic Forwarding Method page (Infrastructure > Internet & SaaS > Traffic Forwarding > DC Exclusion), you can do the following:

  1. Add a DC exclusion.
  2. View a list of all DC exclusions. For each DC exclusion, you can view the following information:
    • Data Center: The name of the DC.
    • Traffic Forwarding Method: The traffic forwarding method (e.g., IPSec VPN tunnels) disabled for the DC.
    • Begin Time: The beginning date and time of the DC exclusion.
    • Expiration Time: The expiration date and time of the DC exclusion. A warning icon appears when the exclusion is expired.
    • Description: (Optional) A description of the DC exclusion.
  3. Search for a configured DC exclusion.
  4. Modify the table and its columns.
  5. Edit a configured DC exclusion.
  6. Delete a configured DC exclusion.
Screenshot of the Traffic Forwarding Method page in the ZIA Admin Portal
Related Articles
Choosing Traffic Forwarding MethodsBest Practices for Traffic ForwardingHandling DNS Resolution for Various Traffic Forwarding MethodsUnderstanding Zscaler Authoritative DNS ServersUnderstanding SubcloudsAbout SubcloudsEditing a SubcloudAbout Data Center Exclusion Based on Traffic Forwarding MethodExcluding a Data Center Based on Traffic Forwarding MethodAbout Static IPSelf-Provisioning of Static IP AddressesImporting Static IP Address from a CSV FileUnderstanding Multi-Cluster Load SharingUnderstanding Proxy ModeDetermining Optimal MTU for GRE or IPSec TunnelsImplementing Zscaler in No Default Route EnvironmentsVerifying a User's Traffic is Being Forwarded to the Zscaler ServiceAlternative Options to Caching Web TrafficTroubleshooting Users' Traffic not Going to the Nearest Internet & SaaS Public Service EdgeConfiguring Disaster RecoveryZscaler Traffic Bypasses