icon-unified.svg
Experience Center

Configuring Private Service Edges for Private Applications

Within the Admin Portal, you can add up to 100 Private Service Edges, 100 Private Service Edge groups, and 100 provisioning keys. For a complete list of ranges and limits per feature, see Ranges & Limitations.

To add a new Private Service Edge for Private Applications:

  1. Go to the Private Service Edges page (Infrastructure > Private Access > Component > Private Service Edges).
  2. Click Add Private Service Edge.

The Add Private Service Edge window appears.

  1. In the Add Private Service Edge window:

    • The provisioning key is a secure random text string that you need to enter when you deploy the Private Service Edge on a platform. Each key is associated with a specific Private Service Edge group and functions like an ID for the Private Service Edge. You can create a provisioning key or choose an existing one.

      After deployment, the Private Service Edge launches and makes initial contact with the cloud. It presents a key as its ID, allowing the cloud to verify that this is an authentic Private Service Edge and to identify which Private Service Edge group it belongs to, then automatically completes the deployment process.

      On the Choose Key tab, choose one of the following options:

      Close
      1. On the Signing Certificate tab, select the signing certificate that Private Applications use to sign certificates it issues to the Private Service Edge. If you need to generate a new enrollment certificate, see Generating an Enrollment Certificate.

      Make sure the certificate used to enroll Private Service Edges has the same root certificate as the root certificate used by the enrollment certificate for enrolling App Connectors and Zscaler Client Connector.

      1. Click Next.

      To learn more about certificates, see About Certificates.

      Close

    • On the Private Service Edge Group tab, choose one of the following options:

        1. Select an existing Private Service Edge group from the drop-down menu. You can search for a specific group or click Clear Selection to remove any selections. Private Service Edge groups can be associated with multiple provisioning keys. So, you can assign this Private Service Edge to an existing group that's already associated to a provisioning key.

        1. Click Next.
        Close
        1. Click Add Private Service Edge Group and enter the following information:
        • Name: Enter a name for the group. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
        • Description: (Optional) Enter a description for the group.
        • Status: Make sure Enabled is selected.
        • Publicly Accessible: Choose if the Private Service Edge group with specific trusted networks mapping is also available publicly for all users outside of these trusted networks. It is important to ensure the Private Service Edge is reachable over a public IP address if you need remote users to be able to connect to it.
          If the Private Service Edge has a public IP address or a published IP address set to a public IP address of a SNAT (i.e., firewall), you do not need to enable this field. It is already publicly accessible. If the Private Service Edge does not have either of those, set this to Enabled. You also need to specify a published domain for the Private Service Edge. For more information, see Editing a Deployed Private Service Edge for Private Applications.

        When you disable Publicly Accessible without a trusted network, the IP address of the Private Service Edge is returned to the client for both on-premises and roaming users that are located closest to the Private Service Edge. To mitigate connectivity issues for remote users who want to connect to this Private Service Edge, ensure it’s reachable over a public IP address.

        • Client Connector Trusted Networks: Your organization's trusted networks that are mapped to the Private Service Edge group. This is used to prioritize Private Service Edges when users connect from those trusted networks. To learn more, see About Trusted Networks.
        • Disaster Recovery: Enable to designate the Private Service Edge Group for disaster recovery. Private Service Edge Groups that are designated for disaster recovery bypass the cloud to ensure business continuity in the event of a disaster scenario. Disaster recovery is disabled by default. To learn more, see Understanding Disaster Recovery and About Disaster Recovery Private Service Edge Groups.

        Disaster Recovery Mode is triggered when you upload the DNS TXT records to the DNS server for the disaster recovery domain name. To learn more, see Creating DNS TXT Records.

        • Alternative Cloud Domain: Select an Alternative Cloud Domain to override the default cloud domain for this Private Service Edge Group. You can search for a specific cloud domain or click Clear Selection to remove a selection.
        • Persist Local Version Profile: Enable if the Private Service Edge Group should persist the local Version Profile. By default, Disabled is selected.
        • Version Profile: Displays the current Version Profile. The default value is set to Default. To learn more, see Configuring a Version Profile.
        • Private Service Edge Software Update Schedule: Schedule the periodic software update for the group by selecting the day of the week and start time. You can search for a specific day of the week and start time or click Clear Selection to remove any selections.
        • Private Service Edge Location: Enter the location where the Private Service Edges in the group are set up. The map displays the location you've entered. If you click the location marker on the map, the Latitude, Longitude, and Location Address fields are automatically populated.
          • Latitude: Displays the latitude coordinate.
          • Longitude: Displays the longitude coordinate.
          • Country Code: Displays the country code for the location address you’ve entered.
          • Location Details: Displays the location address you've entered.
        • Public Service Edge Proximity Override: Enable to allow Private Service Edge groups within the specified distance to be prioritized over a closer Public Service Edge.

        • Distance: Enter the maximum distance to Private Service Edge groups that would override a Public Service Edge (select either Miles or Kms (kilometers) in the drop-down menu). A valid positive number (maximum value is 25,000 miles or 40,233.6 kilometers) not exceeding two decimal places (e.g., 10.05) is required for distance and units must be selected.

          If multiple Private Service Edge groups are configured with the same location (i.e., latitude and longitude), then the Distance from the Private Service Edge group that has the highest value is applied for all Private Service Edge groups.

        1. Click Next.
        Close
      Close
      1. On the Create Provisioning Key tab:
        • Name: Enter a name for the provisioning key. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
          This name is automatically assigned as a prefix for the name of each Private Service Edge enrolled with it. This means that all Private Service Edges in a given Private Service Edge group use the same prefix in its name.
          To help distinguish between the different Private Service Edges in a group, each Private Service Edge also has a number automatically added to its name upon being enrolled. This number signifies that it is the nth Private Service Edge to be enrolled with the key. For example, if you enter AWS Oregon as a provisioning key name in this step, the first Private Service Edge you enroll with this key is named AWS Oregon-1. The next Private Service Edge you enroll with the same key is named AWS Oregon-2, and so on.
        • Maximum Reuse of Provisioning Key: Enter the maximum number of instances where this key can be used to enroll a Private Service Edge. After adding the Private Service Edge, this number can be modified.
          The Instances of Provisioning Key Reuse field cannot be modified. The number of Private Service Edges enrolled in this Private Service Edge group are tracked and the number is automatically displayed in this field. This helps ensure that keys are not being used improperly by unknown parties to enroll Private Service Edges.

      1. Click Next.
      Close
      1. On the Review tab, review your configuration settings.

      1. Click Save.
      Close
      1. On the Review Documentation tab:
        • Copy Provisioning Key: Copy the Private Service Edge provisioning key. You will need to enter this key when you deploy the Private Service Edge to a platform. You can click the Copy icon to copy the key to your clipboard.
        • Choose Platform: Choose the platform you want to deploy your Private Service Edge on, and follow the instructions that appear. To learn more, see the Private Service Edge Deployment Guide for your supported platform.

      1. Click Done.
      Close
Related Articles
About Private Service Edges for Private ApplicationsConfiguring Private Service Edges for Private ApplicationsEditing a Deployed Private Service Edge for Private Applications