A subcloud is a subset of Zscaler Enforcement Nodes (ZENs), which are full-featured secure Internet gateways that inspect all web traffic bi-directionally for malware, and enforce security, compliance, and next generation firewall (NGFW) policies. ZENs are deployed in Zscaler data centers around the globe, so when your users move to a different location, they can access the Internet from any device and the ZENs will protect their traffic and apply your corporate policies.

If certain requirements make forwarding traffic to public ZENs less than ideal, you can extend Zscaler's patented cloud architecture to your organization's premise by deploying private ZENs or virtual ZENs (VZENS). Note that VZENs cannot be in a subcloud.

A subcloud can be a subset of public ZENs, a subset of private ZENs, or a subset of both public ZENs and private ZENs. A subcloud cannot be a subset of ZENs in only one data center.

Using a Subcloud

Zscaler always recommends that organizations forward traffic to the ZENs in the Zscaler cloud. They are deployed in active-active mode all over the world, to ensure availability and redundancy. Zscaler monitors and maintains its ZENs worldwide to ensure 24/7 availability.

The service uses geolocation technology to find the ZEN closest to the user and forwards web traffic to that ZEN, which in some cases may be less than ideal. For example, you may be required to forward web traffic to ZENs in a specific region only, but if a road warrior has traveled outside of it, then web traffic may be forwarded to a ZEN located outside of your preferred region. In such a case, an organization can use a subcloud to ensure that traffic is forwarded to your preferred ZENs.

Note that though Zscaler does not recommend using subclouds, it can set them up for organizations with specific needs. Generally, subclouds are set up only for organizations with certain geopolitical requirements and regulations, and organizations located near their countries' borders to prevent forwarding traffic to ZENs in a neighboring country that uses a different language.

The following sections describe the different types of subclouds that Zscaler can set up, depending on an organization's requirements.

Public ZENs

For organizations that need to forward web traffic to ZENs in a specific region only, a subcloud that consists of only ZENs located in that region can be created. For example, if you need to forward web traffic to ZENs that are located in Europe only (for compliance or regulatory requirements) you can use a subcloud that consists of ZENs in Europe, as shown in the following illustration.  

Public ZENs

Private ZENs

If you want your web traffic to be forwarded to only private ZENs, a subcloud that consists of only your private ZENs can be created. This ensures that your traffic does not get forwarded to public ZENs. In the image below, the subcloud's name is "Safemarch".

Private ZENs

Public and Private ZENs

If you want your web traffic to be forwarded to certain public ZENs and private ZENs, a subcloud that consists of only your preferred public ZENs and private ZENs can be created. This ensures that your traffic is only forwarded to the ZENs in that subcloud. In the image below, the subcloud's name is "Safemarch2".

Public and Private ZENs

Setting Up a Subcloud

If you are interested in having a subcloud for your organization, submit a ticket to Zscaler Support. The Zscaler service sets up the subcloud only if your organization meets certain criteria.

PAC File Variables

Please note that if you want to use a PAC file to forward your web traffic to a subcloud, you must use a custom PAC file that does not use the variables "gateway.<zscaler_cloud>" and ${GATEWAY} in its return statement. Otherwise, web traffic will be forwarded to the nearest public ZEN, which may not be a ZEN in your subcloud.

So that your web traffic is always forwarded to the ZENs specified in the subcloud, use the following variables:

  • The following variable is used for applications that do not support PAC files:
    gateway.<subcloud_name>.<zscaler_cloud> and secondary.gateway.<subcloud_name>.<zscaler_cloud>
  • The following variable is used in PAC files:
    ${GATEWAY.<subcloud_name>.<zscaler_cloud>} and ${SECONDARY.GATEWAY.<subcloud_name>.<zscaler_cloud>}
  • The following variable is used for Kerberos:
    ${GATEWAY.<subcloud_name>.<zscaler_cloud>_HOST} and ${SECONDARY_GATEWAY.<subcloud_name>.<zscaler_cloud>_HOST}

Each subcloud is associated with a DNS name, which resolves the ZENs in that subcloud. Replace <subcloud_name> with the DNS name of the subcloud, and replace <zscaler_cloud> with your cloud name. To learn how to find your cloud name, see What is my cloud name?  

For example, if you are using a subcloud called "Europe", and the cloud name is zscaler.net, you would use the variables ${GATEWAY.Europe.zscaler.net} and ${SECONDARY_GATEWAY.Europe.zscaler.net} in the return statement of your PAC file.