Within the Admin Portal, you can enable disaster recovery for critical application segments, App Connector Groups, or Private Service Edge Groups to ensure business continuity in the event of a disaster scenario that impacts the global cloud infrastructure. To learn more, see Understanding Disaster Recovery.

In Disaster Recovery Mode, all App Connectors in an App Connector group that are designated for disaster recovery restart their connector services, and all Private Service Edges in a Private Service Edge group that are designated for disaster recovery restart their service-edge services. When the services restart, existing user connections to the test App Connectors and Private Service Edges that are designated for disaster recovery are dropped.

To configure Disaster Recovery:

1. Ensure the prerequisites are met.
2. Configure disaster recovery for an application segment, App Connector Group, and Private Service Edge Group. Disaster Recovery must be enabled in the application segment, App Connector Group, and Private Service Edge Group for disaster recovery to work.

An application segment with disaster recovery enabled must be associated with a server group. This server group must be associated with at least one App Connector Group designated for disaster recovery. Additionally, ensure that Admin Portals designated for disaster recovery can reach App Connectors for application segments designated for disaster recovery.

3. Configure the disaster recovery settings.
4. Capture all the public IP addresses of the Private Service Edges designated for disaster recovery into the A record for the disaster recovery domain name you have created. The public IP of the Private Service Edge is found in the Private Service Edges page (Infrastructure > Private Access > Component > Private Service Edges).
5. Configure the disaster recovery settings for an App Profile in the Zscaler Client Connector Portal.

Steps 2, 3, and 4 are interchangeable and can be completed in any order.

To disable disaster recovery entirely:

1. If disaster recovery is currently active, deactivate disaster recovery.
2. Disable Disaster Recovery when configuring an application segment, App Connector Group, and Private Service Edge Group.
3. Disable disaster recovery when configuring an App Profile in the Zscaler Client Connector Portal.

Configuring Disaster Recovery Test Mode

The option to test disaster recovery is supported via Disaster Recovery Test Mode. When Disaster Recovery Test Mode is enabled, the Admin Portal is accessible. However, any changes made to the cloud via the Admin Portal do not take effect until Disaster Recovery Test Mode is disabled via the DNS records, or the activation record expires. During active Disaster Recovery Mode, App Connectors and Private Service Edges are disconnected from the Zscaler cloud. In contrast, the Admin Portal is not supported during Disaster Recovery Mode.

In Disaster Recovery Test Mode, all App Connectors in an App Connector group that are designated for disaster recovery restart their Private Applications-connector services, and all Private Service Edges in a Private Service Edge group that are designated for disaster recovery restart their Private Applications service-edge services. When the services restart, existing user connections to the test App Connectors and Private Service Edges that are designated for disaster recovery are dropped. New connections for regular users that are not part of the disaster recovery test group are routed through either Public Service Edges or regular Private Service Edges and App Connectors that are not designated for disaster recovery. Users participating in disaster recovery testing that are part of the disaster recovery test group also form new connections to the Private Service Edges and App Connectors that are part of the test mode.

To handle both disaster recovery and non-disaster-recovery-related traffic, Zscaler recommends you analyze the patterns of application access for both normal cloud usage and disaster recovery usage to size and partition systems appropriately. Zscaler recommends you review the following:

• During non-disaster recovery conditions, both Private Service Edges and App Connectors designated for disaster recovery are used for application access. After disaster recovery is activated, only the App Connectors and Private Service Edges designated for disaster recovery are used for application access during active Disaster Recovery Mode. This means the App Connectors and Private Service Edges designated for disaster recovery are no longer available for cloud application access.
• During active Disaster Recovery Test Mode, normal cloud application access and application access via disaster recovery happens concurrently. This depends on the user assignment via App Profiles in the Zscaler Client Connector Portal. Systems must be sized and partitioned appropriately for both normal cloud application access and application access via disaster recovery.
• To support both users accessing applications via the cloud and users accessing applications via disaster recovery, a sufficient number of Private Service Edges designated for disaster recovery and Private Service Edges designated for regular use are required for both disaster-recovery-related and non-disaster-recovery-related traffic. You must configure and upload a DNS A record to the disaster recovery domain name using the IP addresses of the Private Service Edges designated for disaster recovery. To learn more, see Activating Disaster Recovery.
• Ensure all application segments designated for disaster recovery are assigned a sufficient number of App Connectors for use with the cloud, and assigned a sufficient number of App Connectors at a group level that are designated for disaster recovery to allow continued application access.
• Normal App Connector and Private Service Edge resource specifications apply to App Connectors and Private Service Edges that are designated for disaster recovery. To learn more, see App Connector Deployment Prerequisites and Private Service Edge Deployment Prerequisites.

To configure Disaster Recovery Test Mode:

1. Ensure the prerequisites are met.
2. Configure disaster recovery for an application segment, App Connector Group, and Private Service Edge Group. Disaster Recovery must be enabled in the application segment, App Connector Group, and Private Service Edge Group for Disaster Recovery Test Mode to work.

An application segment designated for disaster recovery must be associated with a server group. This server group must be associated with at least one App Connector Group designated for disaster recovery.

3. Configure the disaster recovery settings.
4. Configure the disaster recovery settings for an App Profile in the Zscaler Client Connector Portal.

Create a separate App Profile for Disaster Recovery Test Mode and designate specific users for testing. This is to ensure the test is isolated and does not impact users or traffic in production.

Steps 2, 3, and 4 are interchangeable and can be completed in any order.

Activating Disaster Recovery

Disaster recovery is activated by uploading the DNS TXT records to the DNS Server for the Disaster Recovery Domain Name configured in the Disaster Recovery Settings. Both signed and unsigned DNS TXT records are supported for disaster recovery activation.

To enable Disaster Recovery Mode:

1. Create a DNS TXT record with On as the disaster recovery status when using the Zscaler DNS Record Generator.
2. Upload the DNS TXT record to the DNS server for the disaster recovery domain name. To learn more, see Disaster Recovery Settings.

Disaster Recovery Mode is activated when you upload the DNS TXT records to the DNS server for the disaster recovery domain name.

To enable Disaster Recovery Test Mode:

1. Create a DNS TXT record with Test as the disaster recovery status when using the Zscaler DNS Record Generator.
2. Upload the DNS TXT record to the DNS server for the disaster recovery domain name. To learn more, see Disaster Recovery Settings.

Disaster Recovery Test Mode is activated when you upload the DNS TXT records to the DNS server for the disaster recovery domain name.

Deactivating Disaster Recovery

To disable Disaster Recovery Mode and Disaster Recovery Test Mode:

1. Create a DNS TXT record with Off as the disaster recovery status when using the Zscaler DNS Record Generator.
2. Upload the DNS TXT record to the DNS server for the disaster recovery domain name. To learn more, see Disaster Recovery Settings.

Disaster Recovery Mode is disabled when you upload the DNS TXT records to the DNS server for the disaster recovery domain name.

Disaster Recovery Mode is turned off when the DNS time to live (TTL) expires. Zscaler recommends that you use a DNS TTL that is suitable for your environment and disaster recovery needs. Zscaler does not recommend choosing very high or very low DNS TTL values (e.g., values greater than 15 minutes or less than 30 seconds).