icon-zscaler-deployments-operations.svg
Zscaler Deployments & Operations

Local Breakouts Deployment and Operations Guide

This guide describes the benefits of using Software-Defined Wide Area Networking (SD-WAN) local breakouts and the steps necessary for integrating Zscaler Internet Access (ZIA) into your local breakout security posture.

Backhauling over Multi-Protocol Label Switching (MPLS) to a centralized internet gateway via a hub-and-spoke architecture is inadequate when deploying cloud applications. Delivering a fast user experience and supporting cloud applications and services requires locally-routed internet traffic.

SD-WAN simplifies branch traffic routing in the branch, and makes it easy to establish local internet breakouts. Software-defined policies select the best path to route traffic connecting the branch to the internet, cloud applications, and the data center.

Deploying Zscaler with your new local breakouts secures and simplifies your local branch infrastructure by protecting user and application traffic, and reducing unneeded security hardware.

Value of Deploying ZIA with SD-WAN Local Breakouts

Integrating ZIA with SD-WAN local breakout deployments provides the following benefits:

  • Fast and secured user experience.
  • Reduced costs.
  • Simplified branch IT operations.
  • Protected users, wherever they connect.

Deployment Phase

The deployment phase includes the process to initially set up and integrate Zscaler solutions into an existing network infrastructure. During the deployment phase, you configure ZIA to work with your local breakout SD-WAN infrastructure. The following sections discuss steps to deploy ZIA with local breakouts using SD-WAN.

Prerequisites

For local breakout deployment, verify and complete the following prerequisites:

  1. Endpoint evaluation:
    1. Identify hardware (such as routers and firewalls) at the Public Service Edge.
    2. Identify SD-WAN capabilities.
  2. Estimate traffic and consumption.
  3. Evaluate suitable traffic forwarding methods and validate the respective deployment prerequisites.
  4. Evaluate security requirements.
  5. Identify egress IPs.
  6. (Optional) Identify clients that need different treatment than the regular users at the endpoint.
  7. Identify suitable data centers.

Deployment Steps

The following steps explain how to integrate ZIA with local breakout SD-WAN:

  1. Provision static egress IPs or review how to configure a location without a static egress IP.
  2. Create individual locations per local breakout.
  3. (Optional) Create sub-locations.
  4. Choose and implement the most suitable traffic forwarding method for your organization, GRE, or IPSec tunneling.

Considerations

Review the following considerations:

  • Verify the cloud enforcement node status before choosing a suitable data center (Zscaler Cloud Configuration Requirements):
    • Some data centers have a regional surcharge applied to them. Contact your Zscaler Account team to confirm your organization can use surcharged data centers.
    • Data centers that have a regional surcharge or are not marked with Auto Geo Proximity Enabled won’t be chosen as the preferred data centers. Contact your Zscaler Account team for instructions on how to include all possible Zscaler data centers in your infrastructure.
  • Check round-trip times between the egress and Zscaler’s Public Service Edges to identify the Zscaler data center with the least latency. Reach out to Zscaler Support for assistance.

Operations Phase

This section describes common practices used to operate Zscaler solutions when integrated with your environment. During the operations phase, you can monitor and tune ZIA to meet your SD-WAN local breakout infrastructure needs.

Prerequisites

Make sure to document all ZIA policies and traffic forwarding methods that are defined for entire branch locations to use as a reference to help your engineers or Zscaler contacts with troubleshooting processes.

Common Troubleshooting Tips

The following list describes common issues related to deploying ZIA in SD-WAN local breakouts:

  • Performance Issues: When faced with performance issues, you can analyze infrastructure performance using the Zscaler Cloud Performance Test Tool.
  • Tunnel Flaps: If your tunnels start flapping, review the GRE and IPSec configuration guidelines and ensure that you've properly provisioned the tunnel for your organization. Check Zscaler Trust to see if there is an associated outage with respect to the detected flapping behavior.
  • Tunnel Failover Issues: Review tunnel configuration guidelines to verify that everything is correctly configured.

Deployment and Operations Checklist

Zscaler recommends downloading the Local Breakouts Deployment and Operations Checklist to help plan and implement your SD-WAN local breakout deployment for ZIA: Download PDF

Additional Information

For more SaaS Security information and troubleshooting instructions, see the Zscaler Support Portal and the Zscaler Zenith Community.

Related Articles
Advanced Sandbox Deployment and Operations GuideAuthentication Deployment and Operations GuideBandwidth Control Deployment and Operations GuideCloud App Control Deployment and Operations GuideIsolation Deployment and Operations GuideDisaster Recovery Deployment and Operations GuideDLP Deployment and Operations GuideDNS Control Deployment and Operations GuideFirewall Deployment and Operations GuideIPS Control Deployment and Operations GuideLocal Breakouts Deployment and Operations GuideSaaS Security Deployment and Operations GuideSIEM and ZIA Integration Deployment and Operations GuideSSL Inspection Deployment and Operations GuideURL Filtering Deployment and Operations GuideThreat Protection Deployment and Operations GuideZIA Policy Leading Practices GuideZIA SSL Inspection Leading Practices Guide