When organizations forward their network traffic to the Zscaler cloud, the IP address of the client devices is automatically translated (via Network Address Translation) into a Zscaler-managed IP address from a common pool due to the proxy architecture of Zscaler, before the traffic is forwarded to the destination. Although masking client devices' IP addresses behind Zscaler's IP addresses serves one of the core tenets of Zero Trust Network Architecture (ZTNA), organizations in the enterprise landscape sometimes need to use their own IP addresses to authenticate and access certain resources.

For example, third-party SaaS applications and domains might use the source IP address of the traffic they receive as a filtering mechanism and restrict access based on the source IP address of the traffic. These applications require the traffic to originate from a preregistered unique IP address, which usually belongs to the organization. These applications deny access to user traffic that originates from other IP addresses within or outside of the organization, such as the Zscaler data center's IP address that is not preregistered with the service.

In some cases, applications allow access only if the traffic originates from specific countries where Zscaler's data center might not be present. For example, some government sites hosted in a country might be accessible only from within that country, and if Zscaler does not have a data center within that country, the users of that country would not have access to those government sites.

In such scenarios, organizations might have to risk bypassing some traffic from the Zscaler service, creating a security gap. Organizations can use Private Service Edges or Virtual Service Edges to overcome this issue. In some scenarios, organizations prefer a cloud-delivered service that provides a dedicated IP address for their exclusive use. In such cases where the IP address of the source must be fixed and unique for an organization, Zscaler allows you to control the source IP address of the traffic forwarded to the destination servers without bypassing the Zscaler service. These dedicated source IP addresses can either be self-managed, or they can be provisioned by Zscaler for your organization.

Source IP-based authentication to access resources increases the risk of exploitation by malicious actors, so Zscaler recommends using Dedicated IP only for applications that mandate IP-based authentication.

Zscaler provides the following two offerings for organizations to use dedicated source IP addresses:

Customer-Managed Dedicated IP (or Source IP Anchoring)

Organizations host the infrastructure necessary for Source IP Anchoring on their premises and own the IP addresses from which their traffic has to egress. You can create policies to route the traffic from ZIA towards the Zscaler Private Access (ZPA) App Connectors hosted at your organization's premises, which act as the egress point for traffic towards the destination. The destination application or domain recognizes the IP address of the App Connector as the source IP address of the traffic and allows access to resources. To learn more, see Understanding Source IP Anchoring.

The Source IP Anchoring feature is not supported with Virtual Service Edges.

Zscaler-Managed Dedicated IP

Zscaler offers a cloud-based service that allows organizations to obtain IP addresses managed by Zscaler and use them as their dedicated source IP address for applications that require IP-based authentication. With this solution, the traffic originating from your clients lands at Zscaler's Zero Trust Exchange (ZTE) platform and egresses the Zscaler cloud with the unique IP address provisioned for your organization by Zscaler. Unlike Source IP Anchoring, the App Connectors in this case are deployed within a Zscaler data center. You need to configure the egress point using the App Connector before creating policies to establish the traffic flow. All the destinations that require this dedicated IP address must be defined in advance. To learn more, see Understanding Zscaler-Managed Dedicated IP.