Zscaler – Disaster Recovery using ZPA


Over the years we have designed and implemented a variety of Disaster Recovery (DR) environments and processes for customers to meet their requirements. These DR projects have ranged from Active/Active data centres or Primary/DR data centres to application specific DR.

The latest DR project we were involved in was for a government department who host their applications in Microsoft Azure. The requirement was that in the event of a disaster at their primary Azure Region to be able to spin up their applications and infrastructure in another Azure region within their DR Recovery Time Objective (RTO).

For the customer’s external facing applications we used native Azure front-door functionality such as Azure Traffic Manager to failover DNS between regions so this was relatively straight forward to redirect traffic once the application had been spun-up. However for the internal applications we needed another method to fail traffic over because these applications were not exposed to the Internet.

Enter Zscaler Private Access (ZPA). ZPA is a cloud service from Zscaler which provides Zero-Trust Network Access (ZTNA) to internal applications hosted on-premise or in the public cloud. We had already deployed ZPA for the customer 18 months ago to provide users access to internal applications in Azure. So to provide DR for internal applications we leveraged the customer’s existing investment in ZPA.

One of the key customer requirements was for zero infrastructure costs in the DR Azure region so for DR testing or for an actual DR event we would spin up the infrastructure on-demand. Another requirement was that the RTO for their applications must be within 3 hours.

We were able to stand up a configured Zscaler connector within 30 minutes and fail all traffic that currently traversed the Zscaler connectors in Azure region A to the DR Zscaler connector in Azure region B.

Using ZPA for disaster recovery of the customer’s internal applications allowed us to achieve their key DR requirements for cost and RTO whilst also providing an easy set of steps for DR testing or an actual DR event. Another requirement we were also able to achieve was per-application DR, which was desirable but not a mandatory requirement as the customer did not think we would be able to achieve because of duplicate IP addressing. The fact that ZPA is not a network based VPN enabled us to achieve per-application DR.

If you’d like to talk Zscaler Private Access get in touch.