Secure Internet and SaaS Access (ZIA)
Self-Provisioning of GRE Tunnels
Watch a video about GRE Tunnels and Static IP.
You can self-provision your GRE tunnels to connect to the Zscaler service via the ZIA Admin Portal. To learn more, see About GRE Tunnels.
Self-provisioning of GRE tunnels towards Private Service Edge clusters is only supported for clusters deployed on public IP space (i.e., a non-NAT environment). If you need to build a GRE tunnel towards a Private Service Edge cluster deployed within a NAT environment, contact Zscaler Support or submit a Zscaler Support ticket.
To configure the self-service GRE tunnels from the ZIA Admin Portal:
- Go to Administration > Static IPs & GRE Tunnels.
- Click Add GRE Tunnels. The Add GRE Tunnel Configuration wizard opens. If you edit an existing configuration, the Edit GRE Tunnel Configuration wizard opens.
- On the Source IP tab:
- Static IP Address: Select an available static IP address that you want to map with your GRE tunnel. You can map only one static IP address with a GRE tunnel. You cannot modify this field if you are editing an existing configuration.
A Static IP address that is already mapped with a Location is not available for mapping with a GRE tunnel and therefore does not appear in the drop-down menu.
- Description: (Optional) Enter additional information or note about the GRE Tunnel.
- Managed By: Select if the GRE tunnel is managed by self or a specific Zscaler partner. You cannot modify this field if you are editing an existing configuration.
- Click Next.
- On the Data Center tab:
- Domestic Preference: Enable this option to prioritize Zscaler data centers from the country of origin of the IP address even if they are farther away from other Zscaler data centers.
- Primary Data Center VIP: Select a primary data center VIP address that is active on the Zscaler cloud. This field lists the 5 geographically closest data centers to choose from. By default, an active data center VIP is auto-selected based on geographical proximity. If Domestic Preference is enabled, then an active data center VIP within the country of origin of the IP address is auto-selected.
- Secondary Data Center VIP: Select a secondary data center VIP address that is active on the Zscaler cloud. Ensure that the primary and the secondary VIP destinations do not point to the same data center. This field lists the 5 geographically closest data centers to choose from. By default, an active data center VIP is auto-selected based on geographical proximity. If Domestic Preference is enabled, then an active data center VIP within the country of origin of the IP address is auto-selected.
If your organization uses Private Service Edges, the Primary and Secondary Data Center VIP fields first list Private Service Edge VIP addresses.
- Click Next.
- On the Internal IP Range tab:
- Is Unnumbered IP: Enable this option if you do not require an internal IP address on each side of your GRE tunnel.
- Select Internal GRE IP Range: Select an internal IP address range from the default pool of ten available IP address ranges on the Zscaler Cloud. You can also use the search bar to search for and select from other available RFC1918 IP address ranges (10.0. 0.0/8, 172.16. 0.0/12, 192.168. 0.0/16).
- Click Next.
- From the Review tab, review and edit your configurations if you want to change any of the values.
- Click Save and activate the change.