A retail customer has 80 small stores. Each store has a consumer-grade router (no firewall, no IPSec capability) and guest-grade Wi-Fi used by tablet POS terminals. The CISO wants all internet traffic from those tablets inspected by ZIA. Which connector do you recommend at each store?

Correct answer: Branch Connector — built exactly for offices with no firewall, forwarding to ZIA. Correct: c. Branch Connector is purpose-built for branch offices without a capable edge firewall — it sits as a small VM/appliance at the edge and tunnels user traffic to ZIA Public Service Edges for full inspection. App Connector (a) serves inbound to private apps, not ZIA forwarding. Cloud Connector (b) is for cloud workloads, not retail branches. Per-device Z-App (d) is operationally painful on a shared POS device and doesn't solve the guest-Wi-Fi case.

You deploy an App Connector in AWS. It boots, the ZPA admin portal shows it as "Pending" for over five minutes. journalctl -u zpa-connector on the VM shows successful TLS to Zen IP on TCP/443 but timeouts on TCP/9000. What is the most likely cause?

Correct answer: AWS Security Group or egress firewall is allowing TCP/443 but not TCP/9000 to the Zen IP ranges. Correct: b. The connector needs both TCP/443 (registration) and TCP/9000 (control channel). 443 working but 9000 blocked is the textbook symptom of a Security Group or egress firewall that allow-listed only "443 to Zen" and forgot the control channel. (a) would fail TCP/443 too. (c) makes no sense as a failure mode. (d) would slow things down, not break them.

A team has 500 concurrent RDP users hitting Windows jump hosts behind ZPA. They deployed a single 2 vCPU / 4 GB App Connector "because the sizing guide said that handles 1,000 HTTP users". Users now report stalls, click lag, and periodic disconnections. What is the actual problem?

Correct answer: RDP is much heavier than HTTP per user — a 2 vCPU connector handles only ~200 RDP users, not 1,000. Also there's no HA. Correct: a. Per the sizing table, a 2 vCPU connector handles ~150–250 concurrent RDP users — protocol mix dominates throughput. They also broke the N+1 HA rule with a single connector. RDP is fully supported by ZPA (c is wrong). Branch Connector (b) is for ZIA forwarding, not private app brokering. Always re-size by protocol mix and always deploy N+1.

An InfoSec team mandates that every outbound HTTPS request from corporate machines goes through their on-prem Forcepoint proxy, which performs full SSL inspection. After connector deployment, App Connectors stay in "Pending". What's the cleanest fix?

Correct answer: Add the Zscaler Zen CIDR ranges to the Forcepoint bypass list so connector→Zen traffic is not SSL-inspected. Correct: d. The connector's outbound TLS to Zen is mutually-authenticated with Zscaler's certs. Forcepoint re-signing the traffic with the corporate CA breaks that validation and the session is rejected. The right fix is to bypass SSL inspection (typically via destination-IP allow-list) for the Zscaler Zen CIDR ranges. (a) is not how PKI works between two unrelated CAs. (b) is fabricated — the control channel is TCP. (c) is overkill and won't be approved.

A bank wants 6 internal apps reachable via ZPA. To "keep it simple" the architect creates one big Connector Group containing 4 App Connectors spread across 2 DCs, and attaches all 6 app segments to that single group. What's the principal weakness?

Correct answer: Connector Groups should be by failure domain (per DC), not pooled across DCs — users may get brokered cross-DC for higher latency, and a DC-level failure has weaker isolation. Correct: b. Connector Groups are the unit of HA and the routing boundary. Pooling across DCs in one group means ZPA Cloud can broker a user to the "wrong" DC's connector — wasted latency. Better: one group per DC (cg-dc1, cg-dc2), each app segment attached to its native DC's group with the other DC as secondary failover. (a) and (d) are made-up rules; (c) misses the architectural problem.

A platform team runs 200 ephemeral Kubernetes pods that need to call third-party APIs over the internet. The CISO mandates ZIA inspection of all that egress, with stable source-IP for vendor allow-listing. Per-pod agents are not feasible. Which connector and pattern fits?

Correct answer: Cloud Connector pair inside the VPC, with workload subnet route tables pointing default route at the Cloud Connector ENI(s). Correct: c. Cloud Connector is built for exactly this: cloud-workload egress to ZIA, no agent on each workload, stable anchor IP. App Connector (a) brokers inbound to private apps. Branch Connector (b) is for offices, not VPCs. Per-container Z-App (d) is the anti-pattern Cloud Connector exists to replace.

An engineer enabled unattended OS auto-patching on App Connector VMs "to be good about security". Three months later, after a scheduled connector software update, every connector crashes on restart with library-mismatch errors. What's the corrective policy?

Correct answer: Disable unattended-upgrades on connector VMs; scope patching to security errata only and apply manually during a controlled window, one connector of the HA pair at a time. Correct: a. Connectors are sensitive to underlying library versions because they ship a self-contained TLS / crypto stack. The mature policy is: disable unattended-upgrades, scope to security errata, patch one connector of the HA pair at a time during a controlled window — exactly how you patch firewall HA pairs. (b) leaves CVEs unpatched. (c) is wasteful. (d) is the anti-pattern that creates the outage you're trying to avoid.

A new App Connector deployed in a hardened RHEL 9 image registers fine over TCP/443 but never advertises any segments to ZPA Cloud, and shows as "Disconnected" within 60 seconds. Logs say "auth ok, control channel handshake timeout". setenforce 0 temporarily — connector immediately goes healthy. Best long-term action?

Correct answer: Apply the Zscaler-shipped SELinux policy that grants the connector the contexts it needs, then re-enable SELinux in enforcing mode. Correct: d. The behaviour confirms SELinux is blocking outbound TCP/9000 from the connector process. The right fix is to install the Zscaler-supplied SELinux policy module (so the connector gets the contexts it needs) and re-enable enforcing — keeping the hardening benefit without breaking the connector. (a) sacrifices security. (b) doesn't address the actual cause. (c) avoids the issue rather than fixing it.

You're cutting over 3,000 engineering users from F5 APM to ZPA in 4 DCs. After deploying and registering 8 App Connectors (2 per DC), what is the safest next step before flipping the AD group?

Correct answer: Run a 50-user pilot for 7 days with F5 APM still available as fallback, watch connector health graphs and Trace User reports, then expand to 500, then to the full org. Correct: b. Phased rollout (pilot 50 → expand 500 → wave by org) with the legacy path available as fallback is the standard low-risk cutover. It surfaces app-segment mistakes and policy gaps before they hit thousands of users. (a) trusts a green dot too much — connectors can be healthy while specific app segments are misconfigured. (c) and (d) optimize for speed and create user-facing outages.

A team installs Branch Connector at five small offices to forward internet traffic to ZIA. Users at those offices then complain they cannot reach the internal Jira (a ZPA-protected private app) despite "having Branch Connector". What's the correct fix?

Correct answer: Install Z-App with the ZPA profile on each office user device — Branch Connector only handles ZIA forwarding, not ZPA brokering. Correct: c. Branch Connector is a ZIA-only forwarder — it does not broker ZPA app segments. For private-app access, users need Z-App with the ZPA service profile on their devices, in addition to whatever ZIA-side mechanism (Branch Connector / GRE / Z-App) is forwarding their internet traffic. (a) is a fabricated control — there's no "ZPA permissions" toggle on Branch Connector. (b) is the wrong product. (d) doesn't move traffic through ZPA at all.

App Connector, Branch Connector & Cloud Connector — Deploying ZPA in Production

Why this lesson matters — connectors are where ZPA becomes real

Lesson 9 left you with a clean architecture: four components, double inside-out tunnel, dark apps, no inbound ports. That diagram is honest, but it hides the fact that one of those four components — the App Connector — is literally a Linux VM you have to build, harden, register, monitor, patch, scale, and pair into HA groups, in every place an internal app lives. The architecture diagram does not run itself.

This is the lesson where ZPA stops being slideware and becomes a deployment plan. The choices you make here — where you place connectors, how many you run per failure domain, what size you give them, which group they join, what your egress firewall allows them to talk to — directly determine three things students will be measured on in interviews and in their first 90 days on the job:

User experience. A user in Mumbai brokered to a connector in Virginia adds 220 ms RTT to every Jira page load. Wrong region = bad-user-experience ticket, every day, forever.
HA posture. One connector per region is a single point of failure. The day it patches, reboots, or its hypervisor host has a bad day, every user in that region loses every app served by it. CISOs and ops leads will both hate you for that.
Cost. Over-provisioning eight 8-vCPU connectors per region "to be safe" turns a small ZPA deployment into a six-figure cloud bill. Right-sizing matters.

The cousins — Branch Connector and Cloud Connector — solve adjacent problems (office user egress to ZIA, and cloud-workload egress to ZIA respectively). Most people new to ZPA confuse them. We will fix that explicitly, because in production you will be asked to recommend one over the other on day one.

The three connector flavours — when to use which

Zscaler ships three connector products. They look similar (lightweight Linux VM, outbound-only, registers to Zscaler Cloud), but they serve completely different traffic patterns. Get this table cold before week one — recruiters love asking it.

Connector	What it brokers	Where it sits	What it replaces
App Connector	Inbound user requests to your private apps (Jira, SAP, RDP host, internal API). Pure ZPA play.	Next to the app — in the DC subnet, the AWS VPC, the Azure VNet, the colo.	VPN concentrator + reverse proxy + WAF + ADC for internal apps.
Branch Connector	Outbound user traffic from a small office to ZIA cloud for inspection. Pure ZIA forwarding.	At the office edge — on a small VM, an x86 appliance, or the office router itself.	SD-WAN edge or branch firewall doing GRE/IPSec/PAC to ZIA. Also replaces "tunnel of last resort" config.
Cloud Connector	Outbound traffic from cloud workloads (EC2, GKE node, Azure VM) to ZIA for inspection — without installing Z-App on every instance.	Inside the cloud VPC/VNet, anchored to a NAT/route table that catches workload egress.	VPC-level NAT gateway + manual proxy config on every workload. Also Z-App on container hosts (which is awful).

Plainer rule of thumb:

User trying to reach a private app? App Connector.
Office full of users trying to reach the internet (and you want ZIA in front)? Branch Connector.
Cloud workloads trying to reach the internet (and you want ZIA in front, without per-VM agents)? Cloud Connector.

One more nuance students miss: Branch Connector does not serve ZPA. If you have a branch office that needs both internet inspection and access to private apps, you deploy Branch Connector at the edge (for ZIA forwarding) and install Z-App on the user devices (for ZPA). Branch Connector and App Connector are not substitutes for each other.

The whole picture on one page

ZPA connector landscape — three flavours, one cloud

Three connector flavours, one cloud. App Connector serves your apps (right→cloud), Branch Connector serves your office users (left→cloud via its own edge VM), Cloud Connector serves your cloud workloads. Every arrow is outbound; no one in this picture accepts new inbound TCP from outside.

App Connector Simulator Branch Connector Simulator Cloud Connector Simulator

App Connector — VMware / AWS / Azure deployment walkthrough

You will deploy more App Connectors than the other two flavours combined, because every place a private app lives needs one. Three deployment surfaces dominate: VMware in the DC, AWS in a VPC, Azure in a VNet. The prereqs are nearly identical; the install mechanics differ slightly.

Prereqs that bite in pilot

Supported base OS: RHEL 8 / 9, CentOS Stream, Oracle Linux 8 / 9, Ubuntu 20.04 / 22.04 LTS. Amazon Linux 2 is supported on AWS specifically. Don't pick something exotic — the Zscaler-shipped package only knows about these.
VM spec: 2 vCPU / 4 GB RAM / 16 GB disk is the official minimum and a fair starting point for ≤1 Gbps and a few hundred concurrent TCP sessions. Voice or heavy RDP loads should jump straight to 4 vCPU / 8 GB.
Outbound network: TCP/443 and TCP/9000 to Zscaler's Zen IP ranges. The TCP/9000 control channel is the one people forget; without it the connector registers but cannot accept brokered streams. Pull the JSON CIDR feed from config.zscaler.com and allow-list it on your egress firewall before you boot the VM.
NTP: the enrollment cert is time-sensitive. If the VM's clock drifts by more than a few minutes, registration silent-fails with a misleading "auth error" in the log. Run chrony or ntpd on the VM and verify chronyc tracking is in sync before enrolling.
SELinux / AppArmor: the connector ships with a tested SELinux profile. If your hardening playbook strips it or sets enforcing without the Zscaler context, outbound TCP/9000 can be silently blocked. setenforce 0 during the very first boot to confirm it's not the culprit, then re-enable with the shipped policy.
Provisioning key: generated in Administration → App Connectors → Provisioning Keys → Add. The key is one-time-use, bound to a Connector Group, and expires (default 14 days). Don't generate it a month before deployment — it will be dead when you finally need it.

Install script — AWS (Amazon Linux 2)

This is the path you'll use most often in modern deployments. Spin up an EC2 instance (t3.medium or larger, in a private subnet, with a NAT Gateway for outbound), then bake the connector in via cloud-init userdata:

terminal · root on the new RHEL/CentOS host

# 1. Download the App Connector RPM from the ZPA Admin Portal:
#    Administration → App Connectors → Download → Linux (RHEL/CentOS)
#    OR use the published cloud image (AMI / Azure VHD / GCP image)

# 2. Install the RPM on a 2vCPU/4GB minimum RHEL 8/9 or CentOS 8 host
sudo yum localinstall -y zpa-connector-VERSION.x86_64.rpm

# 3. Drop the provision key (copied from the same Admin Portal page)
sudo bash -c 'echo "YOUR_PROVISION_KEY" > /opt/zscaler/var/provision_key'
sudo chown zscaler:zscaler /opt/zscaler/var/provision_key
sudo chmod 600 /opt/zscaler/var/provision_key

# 4. Enable + start the service. Registration happens automatically on first start.
sudo systemctl enable --now zpa-connector

# 5. Verify
sudo journalctl -u zpa-connector -f
# Look for "Successfully enrolled" and "Connected to broker"

⚠No zpa-connector enroll CLI verb exists

Registration is driven by the provision_key file at first systemd start — there is no separate enroll sub-command. If you see zpa-connector enroll in a guide, the guide is wrong. The presence of /opt/zscaler/var/provision_key when the service starts is what triggers the one-shot enrollment exchange; on success the connector swaps the key for a per-device cert and you'll never need the key again.

Within roughly 30 seconds the connector appears in the ZPA admin portal as Healthy, attached to whichever Connector Group the provision key was bound to. Repeat the whole exercise on a second EC2 in a different availability zone — same Connector Group — to satisfy N+1 HA from day one.

VMware (DC) and Azure (VNet) — the differences

VMware: Zscaler ships a signed OVA from the admin portal. Deploy via vCenter, set static IP via the VMware console (or DHCP if your DC tolerates it), paste the provisioning key into the first-boot wizard. Otherwise the post-install steps are identical to the YUM flow.
Azure: Use the official Azure Marketplace image (search "Zscaler App Connector"). Deploy into a VNet subnet that has outbound NAT (Azure Firewall, NAT Gateway, or a UDR to a network virtual appliance). Provisioning key goes in via the cloud-init custom data field. Make sure the NSG does not have an inbound rule on TCP/9000 — that port is outbound-only from the connector and there is no inbound listener.

App Connector auto-update

App Connectors auto-update from the cloud by default — Zscaler pushes new versions on its own cadence, no admin action. For change-controlled environments (banking, healthcare): pin a version under Administration → App Connectors → Group → Version Pinning. Without pinning, a connector might silently upgrade on a Tuesday afternoon — keep this in your change calendar.

Connector log paths

Log paths: /var/log/zpa/connector.log (active), journalctl -u zpa-connector -f (systemd stream). Set LOG_LEVEL=DEBUG in /etc/zpa-connector/config only for active troubleshooting — debug logs are massive.

Capacity sizing — concurrent users per connector by app type

The single biggest day-one sizing mistake is treating "concurrent users" as a single number. ZPA throughput depends massively on the protocol mix. A connector that comfortably brokers 1,500 Jira (HTTP) users will buckle at 200 RDP users. Use this as your starting calculator:

App type	Per-user bandwidth (avg)	~Concurrent users on 2 vCPU / 4 GB connector	~Concurrent users on 4 vCPU / 8 GB connector
HTTP/HTTPS app (Jira, Confluence, internal portal)	50–150 kbps idle, bursts to 2 Mbps	~250–500 (rule of thumb: ~250 sessions/vCPU at minimum spec; scale to 4vCPU/8GB or run 2–3 connectors in the group for 1,000+)	~1,000–1,500
SSH / Git over SSH (developer)	30–80 kbps	800–1,200	2,000–2,800
RDP (Windows remote desktop)	200 kbps – 2 Mbps depending on resolution	150–250	400–600
VDI / Citrix HDX	200 kbps – 4 Mbps	100–200	300–450
SMB / CIFS (file share)	burst 50 Mbps during transfer	40–80 active transfers	120–200 active transfers
Voice / SIP over UDP	~100 kbps steady, jitter-sensitive	200–300	500–700

Two rules to take into every sizing conversation:

Always N+1 per group. If your math says one connector handles the load, deploy two. If two handle it, deploy three. The +1 covers patching, hypervisor failure, and unexpected load spikes without a user-visible outage. A "perfectly sized" single connector is a deployment that will fail its first patching window.
Scale horizontally, never vertically. The connector is single-process and gets diminishing returns past 8 vCPU. Five 4-vCPU connectors will out-throughput two 16-vCPU connectors and survive an AZ failure that the bigger pair cannot.

HA — Connector Groups and how ZPA Cloud picks a connector

A Connector Group is the unit of HA in ZPA. Group connectors by failure domain — usually one group per AWS AZ, one per Azure availability zone, one per DC row, one per branch DC building. Not by application. An app segment gets attached to one or more Connector Groups; when a user request arrives, ZPA Cloud picks any healthy connector from any attached group, weighted by latency and load.

Geometry that works in production:

Per region (e.g. Mumbai DC): two App Connectors, in two separate VMware clusters or two AZs, both in the same Connector Group "mumbai-dc". App segments served only by Mumbai apps are attached to this group only. Users in India naturally route to Mumbai connectors (lowest RTT).
Multi-region apps: if the same app exists in two regions (active-active), create the same segment in both region groups. ZPA Cloud will pick the closer one for each user.
Cross-region failover: Connector Groups can have a priority order. Set Mumbai as primary, Singapore as secondary. If both Mumbai connectors die, users gracefully shift to Singapore at the cost of a one-time latency hit — far better than a hard outage.

How a connector actually boots and joins the pool

App Connector boot → enrollment → healthy in pool

Six steps from cold boot to "Healthy in pool". Steps 3 and 4 are where 90% of failed deployments hang — egress firewall blocking TCP/9000, an SSL-inspecting proxy intercepting the Zen TLS, or NTP drift invalidating the enrollment exchange.

Branch Connector — when to put it at the office edge

Branch Connector is built for one specific shape of customer pain: a small office, no full-featured firewall, users on guest-grade Wi-Fi, and the business wants their internet traffic inspected by ZIA without buying SD-WAN. Branch Connector ships as a hardware appliance OR as a VM (KVM / Hyper-V / ESXi). The smallest hardware SKU competes with SD-WAN CPE pricing — not "NUC in a closet" cheap. Plan for ~$1.5k–$5k per branch hardware + tenant license. All office user traffic is forwarded — via a lightweight TLS tunnel — to the nearest ZIA Public Service Edge, where full URL filtering, SSL inspection, malware scan, DLP, and sandbox kick in just as if every user were running Z-App.

Use Branch Connector when:

The office has no firewall capable of GRE or IPSec tunnels to ZIA — i.e. nothing better than a consumer-grade router. Branch Connector replaces the missing firewall edge.
You're doing a tactical / event deployment — pop-up event office, temporary site for a 3-month project, M&A acquisition where you don't yet own the network. Stand up a Branch Connector VM in an hour; instant ZIA coverage.
You have a guest Wi-Fi only branch — kiosks, shop floors, lobbies — where you don't want to install Z-App on user devices (you don't manage them) but you do want internet hygiene at the SSID.

Do not use Branch Connector when:

The branch already has a Palo Alto / Fortigate / Meraki / Cisco firewall capable of IPSec. Just configure a GRE or IPSec tunnel to ZIA — fewer moving parts.
You need to give office users access to private apps. Branch Connector does not serve ZPA. For that, install Z-App on user devices, even at branches running Branch Connector.

Cloud Connector — when to anchor cloud-workload egress

Cloud workloads — EC2 instances, GKE pods, Azure VMs, container hosts — egress to the internet for package downloads, API calls, telemetry, and SaaS APIs. Without intervention this egress goes through your VPC's NAT Gateway directly to the internet, completely unfiltered. You don't see what's leaving, you don't apply DLP, you don't catch a compromised container talking to a C2 server.

The naive fix is "install Z-App on every workload". This is awful: containers are ephemeral, autoscaling groups bake new images, the agent install becomes a per-AMI baking concern, and a runtime crash takes a workload offline. Cloud Connector is the answer: a small VM (or a pair, for HA) that you deploy inside the VPC and point your workload subnet route tables at. All outbound traffic from those subnets is captured by Cloud Connector, tunnelled to ZIA Public Service Edges, inspected, and only then released to the internet. The workloads themselves are unmodified.

Use Cloud Connector when:

You have ephemeral workloads (containers, autoscaling EC2, serverless behind a VPC) where per-instance agent management is not feasible.
You want to anchor source IP for SaaS allow-listing — many SaaS vendors only allow your tenant's API key from specific source IPs. Cloud Connector gives you a stable egress IP regardless of how many workloads are behind it.
You need full URL filtering + DLP + sandbox on outbound HTTPS from cloud workloads, without inflating each container image.
You have a dev VPC with 200 ephemeral workloads doing npm install from arbitrary registries; you want every POST they make inspected before it leaves.

✓Verify — is your connector actually healthy?

ZPA Admin Portal: Administration → App Connectors → Connector Management — every healthy connector shows a green dot, last-heartbeat under 30 s, version string visible. A connector stuck in Pending for >2 min means registration is failing.
On the VM: systemctl status zpa-connector shows "active (running)". ss -tnp | grep -E ':443|:9000' shows two ESTABLISHED outbound sessions to Zen IPs. journalctl -u zpa-connector -n 200 shows "Connector registered" near the end.
End-to-end: in ZPA Admin → Diagnostics → Trace User, run a simulated request for a test user against a segment served by this connector. The trace should show: User Z-App → Service Edge → ZPA Cloud → this connector → app reachable. Connector name visible at every hop.
Boot test: from the connector VM itself, curl -sv https://<internal-app-fqdn> --resolve <ip> must succeed. If the connector can't reach the app over its own local network, no amount of ZPA config will help.

⚠Common Mistakes — the 7 that bite week one

One App Connector per region — the SPOF that bites the first patch night. The team ships pilot with a single connector "to save cost". Two weeks later the connector reboots for a kernel update at 02:00. Every user in that region loses every internal app for the full reboot window. Always N+1, always from day one, even in pilot.
SELinux blocking outbound on TCP/9000. Connector boots, registers over TCP/443, then silent-fails on the control channel. ZPA admin shows it as Pending or Disconnected and the logs say "auth ok, control timeout" — easy to misdiagnose as a Zscaler-side issue. Test with setenforce 0; if it then works, apply the Zscaler-shipped SELinux policy and re-enable enforcing.
Branch Connector deployed with the assumption it handles private apps too. "We have Branch Connector at every office, why do we still need to give people Z-App?" Because Branch Connector is ZIA-only. Private apps need App Connector + Z-App on user devices. Same Zscaler tenant, different products.
Cloud Connector in the same VPC as the app but in a different subnet — without a route table entry. Workloads in subnet A do not magically know to send traffic via Cloud Connector in subnet B. You must update subnet A's route table so the default route (0.0.0.0/0) points at the Cloud Connector ENI (or the load-balanced pair). Easy to miss when handing off to a separate cloud team.
An outbound corporate proxy intercepting the connector's Zen-bound TLS with SSL inspection. Many enterprise egress firewalls re-sign outbound HTTPS with the corporate CA. ZPA Cloud rejects the re-signed cert as untrusted and the connector cannot establish its session. Allow-list the Zen CIDR ranges and explicitly bypass SSL inspection for connector traffic.
OS auto-patcher upgrades a system library; the next connector update breaks. Unattended-upgrades on Ubuntu, or DNF automatic on RHEL, can bump openssl or libcurl to a version the current connector binary wasn't tested against. Run connector VMs with auto-patch disabled or scoped to security errata only — and patch them yourself during a controlled window, one of the HA pair at a time.
Under-spec'd 2 vCPU / 2 GB connector for 500 concurrent RDP users. Math says "two connectors should cover it"; reality is RDP eats vCPU for breakfast. Sessions degrade — pixelation, click lag, periodic stalls — before users actually drop. Always re-size by protocol mix per the table above, and stress-test with the simulator before exposing to production users.

💡Pro Tips

Connector Groups by failure domain, not by application. One group per AZ / DC row / rack. App segments come and go; the failure domain is stable. Multiple apps in the same domain naturally share the same HA pair — fewer connectors to run, identical HA posture.
Pre-stage a "canary" segment for every Connector Group. A throwaway HTTP endpoint like canary.acme.com served by the group, with a single test user entitled. Hit it from a script every minute; if it breaks, you know the group is unhealthy before real users open tickets. Wire the canary into your existing monitoring.
Patch connector VMs like firewall pairs, never like web servers. Pull one connector out of the group (or just stop the service), wait for ZPA Cloud to confirm sessions have drained to the partner, patch, restart, wait for "Healthy", then do the other one. Never patch both at the same time. Treat the pair like an active-active firewall HA cluster.

Real-world scenario — migrating off F5 APM across four DCs

Customer: a mid-size manufacturer running F5 APM as their VPN concentrator for engineering, sales, and contractor remote access. Four data centres: Mumbai, Singapore, Frankfurt, Virginia — each running its own Jira, Confluence, Bitbucket, SAP module, and internal toolchain. ~12,000 employees, ~3,000 concurrent VPN users on a typical weekday. F5 APM is two years from end-of-support; the customer wants ZPA before it dies.

Your job: design and deliver the connector layout, then a phased cutover that does not cause a production outage.

Step 1 — Connector layout (the design that survives the runbook)

Per DC: two App Connectors, deployed in two separate VMware clusters (different racks, different power feeds, different ToR switches). Both connectors join the same Connector Group named after the DC — e.g. cg-mumbai, cg-singapore, cg-frankfurt, cg-virginia. That gives you N+1 per region from day one.
Sizing: Jira / Confluence / Bitbucket dominate the protocol mix (HTTP), with a smaller RDP workload for finance teams. From the sizing table, 2 vCPU / 4 GB per connector handles ~250–500 concurrent HTTP sessions; with ~750 expected per DC at peak, scale to 4 vCPU / 8 GB and deploy at least two per DC, or run 3 × 2-vCPU connectors in the group. The horizontal route (3 × small) gives better blast-radius isolation than one big VM — and survives a single-node patch reboot without user-visible impact.
Cross-region failover: set group priorities so each region's primary is itself, with the geographically nearest region as secondary — Mumbai primary / Singapore secondary, Frankfurt primary / Virginia secondary. If both Mumbai connectors die, users transparently shift to Singapore at the cost of ~60 ms RTT — far better than a hard outage.
App segments: one segment per app per region (not per /16). jira-mumbai.acme.com, jira-singapore.acme.com, etc. Each segment attaches to its region's Connector Group only (plus the secondary as failover).

Step 2 — Cutover plan that avoids drama

Deploy + register connectors in all four DCs. Verify all eight show Healthy. Run the canary segment test from a script for 24 hours; expect zero failures.
Pilot group of 50 users across all four regions, mixed roles. Push the Z-App with ZPA profile enabled to these users only; leave F5 APM available as fallback. Run for 7 days. Watch the connector health graphs, the ZPA Trace User reports, and the user-feedback channel.
Expand to 500 users per region — broader role mix, including a few notoriously fussy engineering tools. Another 7 days. Tune segment definitions for any app that surfaces as misconfigured.
Cutover wave 1 — engineering org (3,000 users). Flip Z-App ZPA profile via Intune for the whole engineering AD group on a Friday afternoon. Monitor through the weekend. F5 APM still up but no longer the default route.
Wave 2 + 3 — sales then back-office orgs over the next two weeks.
Decommission F5 APM after 30 days of stable ZPA-only operation, with a 7-day "switchback window" where APM stays cold-spare in case of catastrophic ZPA regression.

What goes wrong if you skip the regional grouping

This is the war story junior engineers learn the hard way. Imagine you skip Step 1's regional grouping and instead create a single global Connector Group with all eight connectors. ZPA Cloud's broker is latency-aware but not infinitely smart; some Mumbai users will get brokered to Virginia connectors when Virginia is momentarily less loaded than Mumbai. The user's Jira-Mumbai request travels Mumbai user → Mumbai Service Edge → ZPA Cloud → Virginia App Connector → back across the Internet to Mumbai DC's Jira server → all the way back. Round-trip time goes from ~30 ms to ~430 ms. Every Jira page load adds half a second. Users complain. Tickets pile up. You eventually re-architect with regional groups — which is what you should have done on day one.

Lesson: Connector Groups are not just an HA boundary, they're a routing boundary. Use them to express "this connector should serve this region's users" as well as "this connector should serve this region's apps". Both meanings are correct simultaneously.

App Connector — full lab ZPA Troubleshooting Cloud Connector

Quick reference — ZPA connector deployment

App Connector — broker for inbound user requests to your private apps. Sits next to the app.
Branch Connector — forwards office user traffic to ZIA. Sits at the office edge. ZIA-only, not ZPA.
Cloud Connector — anchors cloud-workload egress to ZIA. Sits inside the VPC/VNet.
Spec: 2 vCPU / 4 GB / 16 GB disk minimum. RHEL/Ubuntu/Amazon Linux. Outbound TCP/443 + TCP/9000 to Zen IP ranges.
HA rule: ≥2 connectors per Connector Group per failure domain. Group by AZ / DC row, not by app.
Sizing rule of thumb: 2 vCPU connector ≈ 250–500 concurrent HTTP sessions / 150–250 RDP / 200–300 voice. ~250 sessions per vCPU at minimum spec. For 1,000+ HTTP users, scale to 4 vCPU / 8 GB or run 2–3 connectors per group. Always size to peak + 50%.
Install path: download RPM (or use cloud image) → yum localinstall zpa-connector-VERSION.rpm → drop key into /opt/zscaler/var/provision_key (chown zscaler:zscaler, chmod 600) → systemctl enable --now zpa-connector. Enrollment happens automatically on first start; no enroll sub-command exists.
Log path: /var/log/zpa/connector.log for connector itself, journalctl -u zpa-connector for systemd-side events.
Stuck in Pending? Check (1) outbound TCP/9000 to Zen, (2) NTP drift, (3) SELinux blocking, (4) outbound proxy SSL-inspecting Zen traffic, (5) DNS resolving Zen FQDNs.
Cutover discipline: deploy → canary → 50-user pilot → 500-user wave → org-level cutover → 30-day stability → decom legacy.

▶ QUICK LAB · ~15 MIN

Deploy an App Connector from scratch:

From ZPA Admin → Administration → App Connectors → Download. Get the latest RPM + provision key.
On a 2vCPU/4GB RHEL VM: sudo yum localinstall -y zpa-connector-VERSION.rpm
Write the provision key: echo "KEY" | sudo tee /opt/zscaler/var/provision_key + chmod 600.
Start: sudo systemctl enable --now zpa-connector
Watch logs: sudo journalctl -u zpa-connector -f — wait for "Successfully enrolled" + "Connected to broker".
In ZPA Admin → confirm the connector appears in your App Connector Group with status Up.

What's next?

Module 11 wires policy on top of the connectors — App Segments, Segment Groups, Access Policies, Posture Profiles, and the timeout policies that decide when a session must reauthenticate.

Lesson 11 — ZPA Policies & App Segmentation → Practice on exam.techclick.in

ZPA Connectors — Deploying App, Branch & Cloud Connectors in Production