icon-zia.svg
Secure Internet and SaaS Access (ZIA)

About Virtual Service Edge Clusters

Watch a video about Virtual Service Edge Clusters.

For production environments, ZIA Virtual Service Edge is deployed in a cluster. A cluster requires at least two Virtual Service Edges for active-active redundancy and load balancing. Each Virtual Service Edge cluster can contain a maximum of 16 Virtual Service Edge instances. Each Virtual Service Edge in a cluster requires a separate Virtual Service Edge subscription.

As shown in the diagram below, each Virtual Service Edge has a load balancer (LB) bundled in. The load balancer is specifically designed to distribute user traffic evenly across the Virtual Service Edges.

Zscaler does not recommend using external load balancers. However, if your organization must use an external load balancer, see Using an External Load Balancer with Virtual Service Edges.

To ensure high availability, the Zscaler load balancers use the Common Address Redundancy Protocol (CARP) for active-passive fault tolerance. As shown in the diagram, all Virtual Service Edge instances in the cluster are active, and one load balancer instance is active at a time. The active load balancer receives ingress traffic through the cluster IP address and directs the traffic to the appropriate Virtual Service Edge. If the active load balancer fails, then the passive load balancer automatically takes over, ensuring no disruption in service. Virtual Service Edges also run in Direct Server Return (DSR) mode. DSR allows the requests to go through the load balancer to the Virtual Service Edge, but the response flows from the Virtual Service Edge to the user, skipping the load balancer on the return.

Diagram of a Virtual Service Edge load balancing.

For evaluation purposes with test traffic, you can configure a Virtual Service Edge in standalone mode, which does not support failover. Zscaler does not support standalone Virtual Service Edges for production environments with live user traffic.

About the Virtual Service Edge Clusters Page

On the Virtual Service Edge Clusters page (Administration > Virtual Service Edges > Virtual Service Edge Clusters), you can:

  1. Add a Virtual Service Edge Cluster.
  2. View a list of all Virtual Service Edge clusters that were configured for your organization. For each Virtual Service Edge cluster, you can see the following information:
    • Name: The name of the Virtual Service Edge cluster. You can sort this column.
    • Status: Displays whether the Virtual Service Edge cluster is enabled or disabled. You can sort this column.
    • Virtual Service Edges: The Virtual Service Edge instances that are included in the cluster. You can sort this column.
    • Cluster IP: The cluster IP address. You can sort this column.
    • IPSec Local Termination: The status of IPSec local termination for the Virtual Service Edge cluster. You can sort this column.
  3. Edit a Virtual Service Edge Cluster.
  4. Modify the table and its columns.
  5. Search for a Virtual Service Edge cluster.
  6. Go to the Virtual Service Edges page to manage and configure Virtual Service Edges.

Screenshot highlighting the different features on the Virtual Service Edge Clusters page.

Related Articles
About Virtual Service EdgesAbout Virtual Service Edge ClustersConfiguring Virtual Service Edge ClustersUsing an External Load Balancer for Virtual Service Edge ClustersConfiguring Virtual Service Edge for Microsoft AzureConfiguring Virtual Service Edge for Amazon Web ServicesConfiguring Virtual Service Edge for Amazon Web Services with GWLBConfiguring Virtual Service Edge for Microsoft Hyper-VConfiguring Virtual Service Edge for Google Cloud PlatformAdding Virtual Service Edge InstancesAdding Virtual Service Edge ClustersDownloading a Virtual Service Edge VMDownloading Virtual Service Edge CertificatesConfiguring Virtual Service Edge and NTP Server SynchronizationVirtual Service Edge Configuration Guide for Dual Arm ModeDeploying Kerberos for Virtual Service EdgesForwarding Traffic to Virtual Service Edges