icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Excluding a Data Center Based on Traffic Forwarding Method

To enable the DC Exclusion for Traffic Forwarding option for your tenant, contact Zscaler Support.

If a Zscaler data center (DC) is having an issue affects the service, you can disable all IPSec VPN tunnels terminating at a virtual IP (VIP) address of the affected DC directly from the ZIA Admin Portal. With this action, you trigger a failover from primary to secondary tunnels at the endpoint of your organization’s premises, ensuring business continuity and connectivity resilience.

In the event of service disruptions, Zscaler Trust Portal incidents, disasters, etc., you can exclude DCs from service based on the traffic forwarding method. In the ZIA Admin Portal, you select the DC and the duration of the DC exclusion. You can renew the exclusion after it expires or edit it as needed.

The DC is restored for service to your organization when the configured exclusion expires or if you take action before the expiration. When a DC is restored for service, existing VPN tunnels can re-establish to the DC and new VPN tunnels can be established.

To add a DC exclusion:

  1. Go to Administration > Resources > Traffic Forwarding Method.

  2. Click + DC Exclusion.

    The Add DC Exclusion window appears.

  3. In the Add DC Exclusion window:

    • Data Center: Select a DC.
    • Traffic Forwarding Method: This is the traffic forwarding method (e.g., IPSec VPN tunnels) to be disabled for the DC.
    • Begin Time (UTC Time): Set the date and time at which the DC exclusion begins and tunnels are disabled for the DC. You can set the exclusion to begin within a month from the current date. The time is displayed in Coordinated Universal Time (UTC). Set the Begin Time at least 5 minutes from the current time (e.g., if the current time is 11:30 a.m. UTC, set the Begin Time to 11:35 a.m. UTC.)
    • Expiration Time (UTC Time): Set the date and time at which the DC exclusion expires and tunnels are re-enabled for the DC. You can set the expiration within 15 days from the Begin Time. The time is displayed in Coordinated Universal Time (UTC). Set the Expiration Time to at least 2 hours from the Begin Time (e.g., if the Begin Time is 11:30 a.m. UTC, set the Expiration Time to 1:30 p.m. UTC.)
    • Description: (Optional) Enter a description of the DC exclusion.

  4. Click Save and activate the change.

When the DC exclusion expires, a warning message appears, prompting you to edit the exclusion period, if required. You can edit the exclusion period before it expires as needed.

Related Articles
Choosing Traffic Forwarding MethodsBest Practices for Traffic ForwardingHandling DNS Resolution for Various Traffic Forwarding MethodsUnderstanding Zscaler Authoritative DNS ServersAbout SubcloudsUnderstanding SubcloudsEditing a SubcloudAbout Data Center Exclusion Based on Traffic Forwarding MethodExcluding a Data Center Based on Traffic Forwarding MethodAbout Static IPSelf-Provisioning of Static IP AddressesImporting Static IP Address from a CSV FileUnderstanding Multi-Cluster Load SharingUnderstanding Proxy ModeDetermining Optimal MTU for GRE or IPSec TunnelsImplementing Zscaler in No-Default Route EnvironmentsVerifying a User's Traffic is Being Forwarded to the Zscaler ServiceAlternative Options to Caching Web TrafficTroubleshooting Users' Traffic not Going to the Nearest ZIA Public Service EdgeConfiguring Disaster RecoveryZscaler Traffic Bypasses