How do I control bandwidth usage?

Zscaler provides bandwidth control at two levels.

  • At the first level, the Zscaler service provides bandwidth control by location. You configure maximum upload and download bandwidth limits for each location in your organization. These limits apply to the entire bandwidth of the location, irrespective of the web application traffic flowing through the network.

    NOTE: The service applies bandwidth controls to traffic from known locations only; that is, locations that are configured on the Zscaler admin portal. The Bandwidth Control policy does not apply to road warriors because their traffic does not come from a configured location and their source IP address has unknown upload and download bandwidth values.
  • At the second level, for each location, you can configure bandwidth shaping rules based on application classes, such as VoIP or Web Conferencing, URL categories, or custom application classes that you define.

The Zscaler bandwidth algorithm allows an application class full bandwidth utilization until there is contention for the bandwidth by a traffic class with a higher priority. When application classes compete for bandwidth, the service takes action based on the multiple QoS controls that you configured in the bandwidth control policy, as shown below:

The Zscaler service rebalances the bandwidth in real time and buffers packets for application classes that hit the bandwidth quota limit during 1 second intervals.  This behavior ensures that business critical applications run at full speed, with no deterioration in quality.

The Zscaler service applies the policy to all HTTP and HTTPS traffic from the location. You do not need to enable SSL interception because it works at the TCP level.

You can go to the Bandwidth Control dashboard to view your organization's bandwidth usage in real time. You can also go to Analytics > Interactive Reports to view the standard reports for Bandwidth Control or to create custom reports as well.

How does it work?

First, you specify the maximum upload and download bandwidth limits for each location in your organization. Note that about 5% of TCP traffic is overhead, such as packet headers. The Zscaler service does not include these in its bandwidth calculations. It only includes the application traffic.

Then you define the bandwidth control policy − a set of prioritized rules that tell the service how to allocate the bandwidth when contention occurs. Each rule defines a maximum and minimum bandwidth for the application classes in the rule along with other parameters, like maximum concurrent connections, location and time of day. The maximum bandwidth specifies the maximum percentage of the total bandwidth that the configured application class can use at a given point in time, and the minimum bandwidth specifies the guaranteed minimum bandwidth percentage that is available for the application class.

The service allows an application class full bandwidth utilization until there is contention for the bandwidth by a traffic class with a higher priority. When application classes compete for bandwidth, the service allocates the guaranteed minimum bandwidth percentages to the application classes and allocates the remaining bandwidth according to the prioritized rules. Therefore the total minimum bandwidth must be less than 100%.

How does it work?

Sample Policy for Bandwidth Management

Above is a sample policy for an organization that has a 100Mbps bandwidth pipe. In this policy,

  • The Productivity bandwidth class is a custom bandwidth class that includes business critical apps, such as Salesforce, Office 365 apps, NetSuite and Box. It is always guaranteed 30% of the bandwidth and can use up to 100%.  
  • The Business & Economy bandwidth class is always guaranteed 20% of the bandwidth and can use up to 100%. The Business & Economy bandwidth class is a custom bandwidth class that includes the Business & Economy category and other domains related to the business.
  • The Large Files bandwidth class is always guaranteed a minimum of 10% of the bandwidth and can use up to 100%.
  • The default rule, which includes all other Internet traffic, is not guaranteed any bandwidth, but it can consume up to 100% of the bandwidth, when available. You cannot change the priority of the default rule. The service always applies this rule last.

When bandwidth contention occurs, the service always guarantees the specified minimum bandwidth. Therefore, in this example, the Productivity class is guaranteed 30% (30 Mbps), the Business & Economy class is guaranteed 20% (20 Mbps), and the Large Files class is guaranteed 10% (10 Mbps). The service allocates the remaining 40% of the bandwidth (40 Mbps) based on traffic from other application classes during each 1 second interval. When an application class uses less than its minimum bandwidth, then the service allocates the idle bandwidth to the other classes, based on the prioritized rules.

The following scenarios illustrate how the service allocates bandwidth, as bandwidth requirements change:

Scenario 1:  It is 9 a.m. and all the employees are in the office hard at work. The apps in the Productivity bandwidth class need all the available bandwidth.The Productivity class is guaranteed 30 Mbps.  If there is no contention from other application classes, then the Productivity class can utilize 100 Mbps, because it is the first rule and its maximum percentage value is 100%. But if apps in the Business & Economy class need bandwidth, then the service will allocate at least 20 Mbps to this class, but will allocate the remaining bandwidth to the Productivity class, when needed.

Scenario 2:  It is 11 a.m. and the bandwidth requirements change. The Productivity class needs 40%, the Business & Economy class needs 30%, and the Large Files class only needs 10%. The service allocates the remaining %20 of the bandwidth to the Default class.

Scenario 3:   It is 12:30 pm and most employees are out to lunch. Bandwidth usage changes yet again. The Productivity class, Business & Economy class and Large Files only need 10%. The service then allocates the remaining bandwidth, which is 90%, to the default bandwidth class.

Additionally, you can add more restrictive rules around social media and streaming media. For example, you can allocate a maximum of 10% of the bandwidth to the Streaming Media/File Share bandwidth class and social media bandwidth class. In this way, when bandwidth is restricted, these classes are not guaranteed any bandwidth and are restricted to 10% of the bandwidth, when available.

You can go to the Bandwidth Control dashboard to view your organization's bandwidth usage in real time.

See How do I configure the Bandwidth Control policy?

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?