Secure Internet and SaaS Access (ZIA)
Zscaler Service Endpoints
This article provides an overview of the various API endpoints offered by Zscaler to enable customers and partners to deploy the required infrastructure and integrate the Zscaler service with their environment. These API endpoints help you automate firewall configuration changes and their propagation in your environments to establish connectivity with the Zscaler cloud infrastructure.
For a list of all available Zscaler API endpoints, visit config.zscaler.com.
- To view insights into cloud operation status, upcoming maintenance, and security updates, visit the Zscaler Trust Portal.
- The Zscaler service also provides the RSS Feed URLs for blogs and notifications related to URL categories.
ZIA Public Service Edges
This section provides information specific to Zscaler’s data centers, such as the list of IP addresses along with the prefixes advertised by each data center, VPN hostname, GRE virtual IP address, SVPN virtual IP address, and more. This information is necessary for adding the Zscaler data center’s address prefix to the allowlist in your firewall or tunneling your organization’s traffic to the Zscaler service.
The following links provide information specific to Zscaler’s data centers for each cloud in JSON format: ZIA Public Service Edge
Zscaler Central Authority (CA)
This section provides the list of IP addresses along with the prefixes used by the Zscaler Central Authority. You need to add these IP address prefixes to the allowlist in your firewall if you are using any of the following services:
- Third-party authentication service with Active Directory (AD)/OpenLDAP or Kerberos client authentication service is hosted in your organization’s data center. The AD and Kerberos servers must pass authentication requests directly to the CA hosted in the Zscaler cloud.
- ZIA Private Service Edges are installed in your organization’s data center. The Private Service Edges must communicate with other nodes in the Zscaler cloud, including the CA for user authentication and policy updates.
The IP addresses for the CA are split between required and recommended lists and the following links provide this information on a per-cloud basis in JSON format:
| Required | Recommended |
|---|---|
Zscaler Client Connector
This section provides a list of the ZIA Public Service Edge IP addresses to which the Zscaler Client Connector forwards traffic. If you need to forward traffic from a site that is behind a firewall to the ZIA Public Service Edge (destination server) using Zscaler Client Connector, you need to add the destination server's IP address to the allowlist in your firewall.
The following links provide the list of destination servers’ IP addresses (referred to as SVPN IP addresses) for each Zscaler cloud in JSON format:
For zscalerone.net, the endpoints are yet to be published.
Future Data Centers
This section provides the list of IP addresses along with the prefixes that are allocated for Zscaler’s future data centers. These data centers will become operative as Zscaler expands its operations to new geographical regions and adds new cloud infrastructure. If you are setting up new organization sites, you can add these address prefixes to the allowlist in your firewall ahead of time to simplify the firewall configuration later. You can also add these address prefixes to your access control lists and application allowlists, as applicable.
The following links provide a list of IP addresses for each cloud that are advertised by Zscaler’s future data centers in JSON format: