icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Integrating with Microsoft Azure Virtual WAN

Zscalers integration leverages Microsoft's Azure Virtual WAN (VWAN) APIs to discover and configure Azure hubs, including querying and configuring Azure VWAN. When the integration is configured, the Zscaler service can sync hub information from Azure. After hub information is synced to Zscaler, outbound IPSec tunnels from any of the hubs to the nearest Zscaler data center can be created using a one-click configuration process. The one-click process automatically configures the Azure hubs, and provisions Locations and VPN Credentials for these hubs, within the ZIA Admin Portal.

Zscaler and Microsoft are technology partners. For more information on integrating Zscaler and Azure Traffic Forwarding, see the Zscaler and Azure Traffic Forwarding Deployment Guide.

Prerequisites

Before you begin the Azure VWAN integration setup, make sure that you have:

  • A valid subscription for Azure VWAN which is an additional cost. Refer to Microsoft Azure pricing for more details.
  • At least one Azure hub configured.
  • Added Zscaler as a Security Partner Provider. To learn more, refer to the Microsoft documentation.

You must configure the Zscaler VWAN Hub as a Security Partner Provider in Microsoft Azure, or it fails to sync with the ZIA Admin Portal.

Limitations of Zscaler integration to Azure VWAN

There are some limitations to keep in mind while integrating Zscaler with your Azure VWAN.

  • Redundant tunnels are not supported. Only one outbound tunnel from an Azure VWAN hub to a Zscaler tenant is supported.
  • Azure Government isn't supported.
  • No failover to another Zscaler data center based on unavailability or load. This is due to redundant tunnels not being supported.
  • No support for sub-locations. Only Zscaler locations are supported.
  • No multi-tenancy. Traffic from multiple VNETs belonging to the same organization goes through the same VWAN hub to Zscaler tenant.
  • Support for one Zscaler cloud per Azure VWAN hub. Multiple clouds, including beta and production, need additional VWAN hubs. The current VWAN hub limit is one hub per region, per subscription. Refer to Azure documentation for any updates to this.
  • Support for one Azure tenant per Zscaler cloud. You cannot terminate tunnels to multiple Azure VWAN hubs across multiple subscriptions.

Step 1: Create an Azure Service Principal for Azure VWAN

  1. Log in to the Azure portal.
  2. Create a service principal in Azure Active Directory (AD). During setup, you must obtain the Application ID, Application Key, Tenant ID, and Subscription ID to complete Step 2 of the integration procedure:
    1. From the left-side navigation, click Azure Active Directory.
    2. In the panel that appears, under Manage, click App registrations.
    3. Click New registration.

    1. In the Register an application panel that appears:
      1. Enter a Name for the application (e.g., Zscaler API).
      2. For Supported account types, select Accounts in this organizational directory only.
      3. For Redirect URI, enter the sign-on URL for the application. This is the Cloud Portal URL for your Zscaler cloud (e.g., https://admin.zscalertwo.net).
      4. Click Register.

    1. Copy the Application ID for the registered Zscaler application you created in the previous step. This is the Application ID you need to complete the integration within the ZIA Admin Portal for Step 2 of the integration procedure.

    You must assign the registered Zscaler application to a role to access resources in Azure VWAN.

    1. From the left-side navigation, click All services.
    2. In the panel that appears, click General, then Resource groups.

    1. Find and select the resource group that you set up for Azure VWAN. If you do not have a resource group, refer to the Microsoft Azure Virtual WAN documentation.

    Zscaler recommends that you use a separate resource group for Azure VWAN to reduce the scope of the changes that can be performed by the service principal.

    1. Click Access control (IAM).
    2. Click Add > Add role assignment.
    3. In the Add role assignment panel that appears:
      1. For Role, select Contributor.
      2. For Assign access to, select Azure AD user, group, or service principal.
      3. For Select, select the registered Zscaler application you created previously (e.g., Zscaler API).
      4. Click Save.

    Close
    1. From the left-side navigation, click Azure Active Directory.
    2. In the panel that appears, under Manage, click App registrations.
    3. Find and click on the Zscaler application registration (e.g., Zscaler API). To learn more, see Create a New App Registration for Zscaler and Obtain the Application ID above.

    1. Click Certificates & secrets.

    1. In the panel that appears, under Client secrets, click New client secret.
    2. In the Add a client secret panel:
      1. Enter a Description for the key.
      2. For Expires, select an expiration period for the key (e.g., 1 year).
      3. Click Add.

    The key’s Value appears within the panel after you save. You must copy the key value now. You can't retrieve the key later. The Zscaler service uses the Application ID and the key Value to authenticate to Azure. This is the Application Key you need to complete the integration within the ZIA Admin Portal for Step 2 of the integration procedure.

    Close
    1. From the left-side navigation, click Azure Active Directory.
    2. In the panel that appears, under Manage, click Properties.
    3. Under Directory properties, copy the Directory ID. This is the Tenant ID you need to complete the integration within the ZIA Admin Portal for Step 2 of the integration procedure.

    Close
    1. From the left-side navigation, click All services.
    2. In the panel that appears, under General, click Subscriptions.

    1. Find the role you associated to the registered Zscaler application within the table and copy the Subscription ID. This is the Subscription ID you need to complete the integration within the ZIA Admin Portal for Step 2 of the integration procedure.
    Close

Step 2: Set up your Azure VWAN integration on Zscaler

  1. Log in to the ZIA Admin Portal.
  2. Go to Administration > Partner Integrations.
  3. In the Azure Virtual WAN tab, under Azure AD Authentication Credentials:
    1. Enter your Application ID.
    2. Enter your Application Key.
    3. Enter your Tenant ID (i.e., Directory ID).
    4. Enter your Subscription ID.
    5. Click Test to be notified if your Azure integration with Zscaler succeeded or not.

If your Azure AD authentication credentials are valid, you can proceed to Step 3 of the integration procedure.

If the test was unsuccessful, ensure that Zscaler VWAN Hub is properly configured as a Security Partner Provider to avoid any sync failures with the ZIA Admin Portal. To learn more, refer to the Microsoft documentation.

Step 3: Sync and Configure your Azure Hubs on Zscaler

When your Azure AD authentication credentials are validated, click Sync. This syncs your Azure hubs to the Zscaler service. The Azure Hub Locations Sync section updates, showing the last sync timestamp and the number of hub sites that were successfully synced.

Clicking on the hub sites hyperlink takes you to the Administration > Location Management page. Go to the Azure Virtual WAN Locations tab. All Azure Hub locations, along with the associated Azure Region, are displayed. Initially, the tunnel configuration is set to Not Configured, and the Azure Sites, Zscaler Location, IP Address, and VPN Connection columns are empty.

Review the table and then edit each location to start the tunnel configuration. To learn more, see Configuring Azure VWAN Locations.

Troubleshooting

During the Azure Virtual WAN authentication, you might see one of the following errors:

  • INVALID CREDENTIALS: Tenant ID, Subscription ID, Application ID, and Application Secret are all required. If one of these is not configured, you see this error.
  • DUPLICATE ITEM: The entered Subscription ID is already associated with another organization.
  • ACCESS FAILURE: The Subscription ID is not available for this account. This likely means that the Subscription ID was entered incorrectly.
  • NOT AUTHORIZED: Got 401 or 403 from an Azure API that is called by Zscaler UI. Contact your Azure support representative for assistance.
  • ACCESS FAILURE: Got 404 when authenticating with Azure portal. Contact your Azure support representative for assistance.
  • UNEXPECTED ERROR: Contact your Zscaler Support Engineer for assistance.
Related Articles
About Partner IntegrationsIntegrating with Microsoft Cloud App SecurityManaging SD-WAN Partner KeysIntegrating with Microsoft Azure Virtual WANIntegrating with CrowdStrikeViewing the CrowdStrike Endpoint Hits ReportIntegrating with Microsoft Defender for EndpointViewing the Microsoft Defender Endpoint Hits Report