How is Zscaler Cloud Connector deployed?

Correct answer: As a VM appliance inside the customer's AWS, Azure, or GCP environment (and on-prem hypervisors) Correct: B. Cloud Connector is a VM appliance the customer deploys in their own cloud (or on-prem hypervisor). A is wrong — SaaS-only is the Service Edge, not CC. C — Zscaler doesn't ship hardware into AWS DCs. D — there's no sidecar product; CC is at the network layer.

Aditya at Flipkart needs to inspect internet egress from 8 microservice VPCs in ap-south-1 , all already peered through a Transit Gateway. Best architecture?

Correct answer: Regional Hub pattern: dedicated Zscaler VPC with GWLB + autoscale CC pool, GWLB endpoints in each workload VPC, route default through TGW → Zscaler VPC Correct: C. Regional Hub is the published Zscaler reference pattern for multi-VPC AWS. Shared CC pool = lowest cost; TGW handles routing; GWLB makes the CC transparent. A is impractical at scale and breaks for non-Linux workloads. B — BC is hardware/VM for branches, not for AWS DCs. D works (Isolated-VPC pattern) but is overkill if there's no isolation requirement — 8x the CC bill.

Sneha at Reliance Jio is deploying Cloud Connector in GCP for analytics workloads. Which VM instance type does Zscaler officially recommend?

Correct answer: n2-standard-2 — Zscaler's recommended balance of CPU, memory, and cost on GCP Correct: A. Zscaler explicitly documents n2-standard-2 as the recommended GCP instance type for Cloud Connector — balanced cost/performance. B is too small to handle production throughput. C — GPUs don't help packet inspection. D — instance-type names are cloud-specific, you can't paste an AWS name into GCP.

Karthik at TCS Bangalore needs to deploy Cloud Connector in Azure South India serving 3 BFSI tenants in a hub-spoke landing zone, with autoscale for market-open spikes at 09:15 IST. Best deployment approach?

Correct answer: Zscaler azurerm Terraform module ( zscaler/cloud-connector-modules/azurerm ), CC VMSS in hub VNet across 3 AZs, UDRs on each spoke routing default to the CC load balancer Correct: D. The official azurerm Terraform module handles VMSS, NSGs, route tables, and Azure load balancer correctly. Hub-spoke with UDRs is the canonical Azure pattern. A — clicking once doesn't handle 3 tenants or autoscale. B — modules are cloud-specific; you can't reuse the AWS one in Azure. C — copy-paste ARM templates is unsupported and a security risk.

After CC deployment, the admin dashboard shows CC Active and healthy traffic, but ZIA Insights reports egress from only HALF the expected EC2 instances. The other half's traffic appears in VPC flow logs going to the NAT Gateway ENI IP. Root cause?

Correct answer: Route table edit missed one or more subnets in the workload VPC — those instances still default to NAT Gateway Correct: B. Each AWS VPC can have multiple route tables (one per subnet, or shared). When you change "the main one" you miss subnets that explicitly use other route tables. The VPC flow log proves it — half the IPs are still going to NAT. Audit every subnet's effective route table; use Terraform for_each over all subnets so you can't miss one. A would show healthy-CC pegged at 100% CPU. C — ZIA logs are reliable; absence means absence, not loss. D would break the WHOLE flow, not half.

Workloads behind CC can ping 8.8.8.8 , but the CC itself never transitions from Connecting to Active in the admin portal. CloudWatch shows the CC instance is launched and healthy. What's the most likely cause?

Correct answer: Security group on the CC management interface is blocking outbound DTLS (UDP/443), DNS (UDP/53), or NTP (UDP/123) — the CC can't reach the Zscaler cloud to complete provisioning Correct: C. CC needs outbound DTLS/443 to Zscaler cloud, plus DNS and NTP, to complete provisioning. A platform-team hardening baseline often overrides the Terraform-set rules. Check the effective NSG/SG rules; restore the Zscaler-defined network tags. A — wrong image would fail at boot, not at provisioning. B — workload routing is unrelated to CC status. D — CC would launch and provision fine but then under-perform; here it's not provisioning at all.

CC has been running fine for 6 months. Suddenly throughput plateaus at 500 Mbps and CPU on every CC instance is 95%+. The ASG cc_count_max is set high but no scale-out is happening. New CC instances also peg CPU. Root cause?

Correct answer: Instance type undersized for current traffic. Each CC has a per-instance cap (c6i.large ≈ 500 Mbps). Adding more CCs lateral-scales sessions but each instance still tops out. Resize to c6i.xlarge or .2xlarge via Terraform rolling update. Correct: A. CC throughput per instance is bounded by instance type. c6i.large tops around 500 Mbps; if you want 2 Gbps inspected, you need c6i.xlarge instances. ASG scale-out helps SESSION count, not single-flow throughput. Rolling Terraform update replaces instances one-at-a-time with no downtime. B disables security. C — AWS would throw explicit throttling errors. D — there's no license key in the module.

After deploying CC, external users hitting an internet-facing ALB report random TCP RSTs on long-lived HTTPS connections to the EC2 web tier behind the ALB. Latency is fine on first requests, then drops happen. EC2 outbound API calls work fine. Most likely cause?

Correct answer: Asymmetric routing — inbound external → ALB → EC2 works fine, but the EC2's return path now defaults via CC (because all 0.0.0.0/0 was hijacked to GWLB), so return packets exit a different public IP than the inbound source. Fix with AWS VPC Ingress Routing so customer-facing return uses IGW path. Correct: D. Classic CC asymmetric-routing trap. Inbound from internet → ALB → EC2 uses the IGW path. Outbound EC2 → internet was previously also IGW (response went out the same way the request came in). After CC, EC2's default route is hijacked to GWLB, so the response goes through CC, gets NAT'd differently, and external clients see source-mismatch RSTs. Fix: VPC Ingress Routing to split return paths, OR put customer-facing tier in its own non-CC VPC. A — CC doesn't decrypt traffic for inbound flows by default. B and C would break the FIRST request, not random ones mid-session.

A large IT-services company runs 50,000 EC2 instances spread across ap-south-1 (Mumbai), us-east-1 (N. Virginia), and eu-west-1 (Ireland). All need ZIA-inspected egress, with autoscale capacity and graceful regional isolation. Best architecture?

Correct answer: Per-region Regional Hub pattern: 3 Zscaler VPCs (one per region), each with its own TGW + GWLB + autoscale CC pool. Workload VPCs route default to the local region's GWLB endpoint. No cross-region data plane. Correct: C. Per-region Regional Hub gives lowest latency (workload egress goes through local-region ZIA Service Edge), keeps data plane within the region (regulatory + RTO win), and autoscales independently per region. A backhauls Mumbai-Mumbai traffic to N. Virginia — adds 250+ ms latency and global data-residency issues. B is the right pattern for strict isolation but creates massive operational overhead at this scale. D is irrelevant.

A healthcare aggregator runs 12 cloud customer environments — each must be cryptographically isolated from the others (HIPAA-equivalent compliance), but all need ZIA-inspected internet egress with the same policy. Best Cloud Connector architecture?

Correct answer: Isolated-VPC pattern (Part 2): CC autoscale group inside each customer VPC. No TGW between data planes. Same ZIA tenant + policy, but each VPC's traffic is cryptographically separated end-to-end. Higher cost is an accepted compliance trade-off. Correct: B. Isolated-VPC pattern (Zscaler reference architecture Part 2) is purpose-built for this — each customer VPC gets its own CC ASG, no shared TGW data plane, but all CCs report to the same ZIA tenant so policy is consistent. A would share data planes between customers — HIPAA violation. C — ZCC on cloud workloads is operationally painful and doesn't cover non-Linux/agentless workloads. D rolls your own security, wastes the ZIA license.

Zscaler Cloud Connector Deep-Dive: Securing AWS / Azure / GCP Workloads with ZIA

💡 The toll booth on the cloud highway

Imagine your AWS Mumbai region is a six-lane expressway. Every EC2 instance is a vehicle wanting to drive out to the public internet for a software update, an API call, or a Slack notification. Without Cloud Connector, every vehicle takes the AWS NAT Gateway — a tunnel that lets traffic out but does zero security inspection. That's how a compromised pod talks to its C2, downloads a coinminer, or exfils customer data.

Cloud Connector is the toll booth between your vehicles and the highway. Every flow is inspected — by the same ZIA policy you use for laptops — and only the legitimate ones get a green light. The trick is doing this transparently: AWS workloads don't reconfigure anything, the routing simply changes so the toll booth becomes the new default gateway.

Why this matters in production (and in interviews)

Indian SI giants and BFSI firms are moving to multi-cloud (TCS landing zones on Azure for clients, Flipkart microservices on AWS Mumbai, Jio analytics on GCP). Cloud security in those workloads is the gap. Cloud Connector closes it. In an interview for a Cloud Security / SecOps role at Wipro, Infosys, or a Big-4 consulting team, expect:

"Walk me through deploying Cloud Connector in front of a multi-VPC AWS landing zone."
"EC2s can hit the internet but their HTTPS isn't getting inspected. Where did the route table go wrong?"
"Why might you choose Cloud Connector over a App Connector — or both?"

What Cloud Connector actually is

Zscaler Cloud Connector (CC) is a VM appliance deployed inside your cloud account, in your VPC/VNet, that takes traffic from cloud workloads and forwards it to ZIA (north-south, internet-bound) and ZPA (when used as a hybrid pattern). Three deployment platforms: AWS, Azure, GCP. Plus on-prem hypervisors (VMware, KVM, Hyper-V) for organisations doing colo or private-cloud egress security.

Cloud	How traffic is redirected to CC	Recommended instance	Deployment
AWS	GWLB + GWLB endpoints + Transit Gateway. Workload VPC default route points to GWLB endpoint.	c6i.xlarge / c6i.2xlarge (autoscale)	Terraform `zscaler/cloud-connector-modules/aws`
Azure	Azure Standard Load Balancer + User Defined Routes (UDR) on the spoke VNet, hub-spoke topology.	Standard_F4s_v2 / F8s_v2 (VMSS)	Terraform `zscaler/cloud-connector-modules/azurerm`
GCP	Internal LB + GCP routes; can use VPC-native or hub-spoke with Network Connectivity Center.	n2-standard-2 (Zscaler official recommendation)	Terraform `zscaler/cloud-connector-modules/gcp`

The four-cousin family: who does what

This is the single most confused topic in Zscaler land. Four products sound similar — Branch Connector, Cloud Connector, App Connector, Service Edge — and they do completely different jobs. Memorise this table; interviewers love to test it.

Component	Where it lives	What it forwards	Direction
Branch Connector	Branch office (appliance or VM)	Branch internet-bound + private-app traffic	North-south (to ZIA) + ZPA broker
Cloud Connector	Customer's AWS/Azure/GCP VPC	Cloud workload internet egress + optional inter-VPC	North-south (to ZIA) + east-west policy
App Connector	Customer's DC or VPC (next to private apps)	Inbound ZPA private-app brokering	South-north (from remote user to private app)
Service Edge (ZTE)	Zscaler's own datacenters (150+ globally)	The inspection layer — receives tunnels from BC/CC/ZCC	Hub of the SASE — every other connector terminates into ZTE

Infographic 1 of 4 — The 4-cousin family in one picture

Same ZIA + ZPA policy, four different on-ramps. Cloud Connector is the on-ramp for everything inside a public-cloud VPC.

👨‍💻 Scenario · Aditya at Flipkart, AWS Mumbai (ap-south-1)

Aditya is the Cloud Security lead at Flipkart. The shopping-cart microservices have 8 application VPCs (cart, checkout, inventory, search, recommend, payments-prep, fraud-engine, sessions) all peered through a central Transit Gateway in ap-south-1. Every microservice calls Slack, Datadog, Razorpay sandbox, and various npm registries. Today all of that egress goes through a NAT Gateway with zero security inspection. Compliance flagged it in the last audit. Aditya has 2 weeks to put every VPC's internet egress behind ZIA — without re-architecting the microservices.

The AWS GWLB + Transit Gateway pattern (the gold standard)

For multi-VPC AWS landing zones — which is what every serious Indian enterprise runs by now — the canonical pattern is:

Create a dedicated Zscaler VPC (sometimes called "security VPC" or "inspection VPC").
Deploy Cloud Connectors in private subnets, fronted by an AWS Gateway Load Balancer (GWLB).
Create GWLB endpoints in each workload VPC (one per AZ for HA).
Attach all VPCs (workload + Zscaler) to a Transit Gateway.
Configure route tables so each workload VPC's default route (0.0.0.0/0) goes to its local GWLB endpoint — which transparently sends traffic through CC to ZIA, then back.
Configure the Zscaler VPC's TGW route table to send its default to the GWLB VPC endpoint (so even the Zscaler VPC's outbound goes through CC for inspection).

Infographic 2 of 4 — AWS GWLB + TGW Cloud Connector pattern

The Regional Hub pattern from Zscaler's Part-1 reference architecture. Used by every large Indian SI doing multi-VPC AWS at scale.

👉 So far: VM in your VPC, GWLB makes it transparent, TGW reuses one CC pool for many VPCs. Next — the Terraform that builds all this in 15 minutes.

Configuration walkthrough — Terraform-first

Zscaler ships official Terraform modules at github.com/zscaler/terraform-aws-cloud-connector-modules (and equivalents for Azure and GCP). Don't click in the AWS console for production; click only in the lab.

Step 1 — Initialise the Terraform module (AWS)

main.tf

module "zscaler_cc" {
  source  = "zscaler/cloud-connector-modules/aws"
  version = "~> 1.6"

  name_prefix          = "flipkart-cc-prod-mum"
  aws_region           = "ap-south-1"
  zscaler_cloud        = "zscalerthree.net"
  cc_vm_prov_url       = "https://connector.zscalerthree.net"   # provisioning URL
  cc_callhome_enabled  = true

  # Workload VPCs to attach to TGW
  workload_vpc_ids     = [
    "vpc-0abc111",   # cart
    "vpc-0abc222",   # checkout
    "vpc-0abc333",   # inventory
    # ...
  ]

  # CC sizing + autoscale
  cc_instance_type     = "c6i.xlarge"
  cc_count_min         = 2
  cc_count_max         = 6
  cc_az_count          = 3                # ap-south-1a / b / c

  # Networking
  cc_vpc_cidr          = "10.99.0.0/16"
  cc_subnet_size       = 24

  tags = { owner = "cloud-sec", environment = "prod" }
}

Step 2 — Plan + apply

shell

aditya@laptop:~/flipkart-cc$ terraform init
aditya@laptop:~/flipkart-cc$ terraform plan -out=cc.plan
   Plan: 47 to add, 0 to change, 0 to destroy.

aditya@laptop:~/flipkart-cc$ terraform apply cc.plan
   ...
   Apply complete! Resources: 47 added, 0 changed, 0 destroyed.

   Outputs:
     cc_provisioning_status = "READY"
     gwlb_endpoint_service_name = "com.amazonaws.vpce.ap-south-1.vpce-svc-0123abcd"
     tgw_id                     = "tgw-09abcd1234"
     cc_admin_url               = "https://connector.zscalerthree.net"

✓Expected output

In the Cloud Connector admin portal (https://connector.zscalerthree.net), under Provisioning & Configuration → Cloud Connectors, you'll see 2 (the min) CCs registered, status Active, each tagged with the AZ they live in. The GWLB endpoint service is shared via the vpce-svc-… name to your workload VPC accounts.

Step 3 — Per-workload-VPC route table edit (the magic moment)

In each workload VPC route table

OLD:
  Destination       Target
  10.0.0.0/8        local
  0.0.0.0/0         nat-0abc123def   ← AWS NAT Gateway (no inspection)

NEW:
  Destination       Target
  10.0.0.0/8        local
  0.0.0.0/0         vpce-0xy456...   ← local GWLB endpoint
                                       (transparently forwards through CC → ZIA)

That one edit is the entire cutover. Every EC2's outbound HTTPS / DNS / SMTP / API call now flows through ZIA inspection — without any change inside the instance.

VPC CIDR practice Packet tracker FW policy sim

The pattern decision tree — Regional Hub vs Isolated VPC

Zscaler publishes two AWS reference patterns. Choose by the workload's isolation requirements.

Infographic 3 of 4 — "Which CC pattern fits my workload?"

Print this. In every cloud-security interview at a BFSI client, this is the architecture-design question.

Verification — "is the cloud actually safer now?"

View 1 — CC admin portal

Admin portal path

Dashboard  →  Cloud Connectors  →  flipkart-cc-prod-mum-asg-1a

  Status:                Active ●
  Service Edge:          mum1.sme.zscalerthree.net  (Mumbai)
  Throughput (now):      612 Mbps in / 184 Mbps out
  Sessions (now):        18,420
  AZ:                    ap-south-1a
  Instance type:         c6i.xlarge
  Provisioning:          Terraform (ASG)
  Last health check:     OK · 12 s ago

View 2 — VPC flow logs

CloudWatch Logs Insights query

# Confirm workload outbound traffic is hitting the GWLB endpoint,
# not the old NAT Gateway
fields @timestamp, srcaddr, dstaddr, action, bytes
| filter srcaddr like /^10\.10\./   # cart VPC CIDR
| filter dstport = 443
| stats sum(bytes) by dstaddr
| sort sum_bytes desc
| limit 20

✓Expected output

Top destinations should now show 10.99.x.x (Zscaler VPC GWLB endpoints), not the old NAT Gateway ENI IP. If you still see NAT Gateway hits, the route table edit didn't propagate to all subnets in the VPC.

View 3 — ZIA Insights

ZIA admin portal

Analytics  →  Insights  →  Logs  →  Filter:
  Location = Cloud Connector — flipkart-cc-prod-mum
  Time = Last 1 hour

  → Top destinations:    api.slack.com (32%), api.datadog.com (21%),
                         registry.npmjs.org (14%), api.razorpay.com (9%)
  → Top blocked:         3 (Suspicious cryptominer pool — auto-blocked)
  → DLP events:          0
  → Threats detected:    1 (Suspicious DNS query to fast-flux domain)

Common Mistakes — what blows up in production

!Mistake 1 — "Route table edit missed a subnet"

Symptom: CC dashboard shows healthy traffic, but ZIA Insights shows only HALF the expected EC2 instance count. Audit says half the workloads are still bypassing inspection.

Root cause: The workload VPC has 3 subnets but only 2 had their route tables updated to point at the GWLB endpoint. EC2 instances in the third subnet still default to the NAT Gateway.

Fix: Audit all route tables in every workload VPC, not just "the main route table". Use Terraform for_each over all subnets so you can't miss one. Verify with the VPC flow log query above.

!Mistake 2 — "Security group blocks management traffic"

Symptom: CC instance is up, dashboard shows it as Connecting and never flips to Active. Workload egress is broken because GWLB has no healthy backend.

Root cause: A platform-team-deployed Security Hub or hardening baseline locked down outbound from the Zscaler VPC management interface, blocking DTLS (UDP/443), DNS (UDP/53), and NTP (UDP/123) — exactly what CC needs to reach Zscaler cloud.

Fix: Use the Zscaler-defined network tags in the security group rules — the Terraform module sets these correctly by default, but check no override is wiping them. Outbound allowlist must include the Zscaler sub-cloud IP ranges + the 3 management protocols.

!Mistake 3 — "Asymmetric routing breaks inbound connections"

Symptom: After CC deployment, external users hitting an internet-facing ALB report random TCP RSTs and timeouts on long-lived connections.

Root cause: Inbound traffic from internet → ALB → EC2 is fine, but the EC2's return traffic now defaults to 0.0.0.0/0 via GWLB. The return goes through CC, gets NAT'd, comes out a different public IP than the inbound source, and the external client's stack drops it. Classic asymmetric routing.

Fix: Use AWS VPC ingress routing to split the return path: traffic destined to internet-facing clients takes the IGW path (preserves source IP), traffic destined to outbound API calls goes through CC. Or, isolate the customer-facing tier into its own VPC that doesn't use CC for egress (instead it uses an NLB + dedicated security group).

!Mistake 4 — "Undersized instance, throughput plateaus"

Symptom: CC throughput plateaus at ~500 Mbps despite traffic growing. New EC2 instances are coming online, but their internet egress feels slow. CPU on each CC is at 95%+.

Root cause: Initial Terraform set cc_instance_type = "c6i.large". That instance type tops out around 500 Mbps of inspected throughput. The ASG can't scale you out of a sizing problem — adding more c6i.large instances helps lateral growth but each one still tops at 500 Mbps.

Fix: Resize via Terraform — change to c6i.xlarge (1 Gbps) or c6i.2xlarge (~2.5 Gbps). Run a rolling-update terraform apply; ASG replaces nodes one at a time, no outage. Set cc_count_max high enough to absorb traffic spikes.

!Mistake 5 — "CC and NAT Gateway both in path"

Symptom: Egress works, but latency is 60ms higher than expected, and the AWS NAT Gateway data-processing bill stayed the same after CC rollout.

Root cause: The route table change pointed default to the GWLB endpoint, but the Zscaler VPC itself still routes its egress through a NAT Gateway. So traffic loops EC2 → GWLB → CC → NAT GW → internet. Double-hop, double-pay.

Fix: CC has its own egress path; don't put a NAT Gateway behind it. Read the Zscaler blog "Using Cloud Connectors without NAT Gateway" — the Terraform module supports this; ensure the Zscaler VPC subnet uses Internet Gateway directly with appropriate route propagation.

Pro tips from the field

💡Tip 1 — Multi-AZ from day one

Single-AZ Cloud Connector means a single-AZ outage in ap-south-1 (rare but real) takes ALL your cloud egress down. Always set cc_az_count >= 2 in Terraform from day one. The cost delta is small; the resilience delta is enormous.

💡Tip 2 — Pin the Terraform module version

Don't use version = "~> 1" — pin to a specific minor version like ~> 1.6. Zscaler ships breaking changes between major versions and the Terraform registry will silently pull a new one if you're not careful. Read the changelog before any version bump.

💡Tip 3 — Use CC + App Connector hybrid for true zero-trust

Cloud Connector = north-south (workload → internet). App Connector = south-north (remote user → private app). Run both in your VPC: CC handles outbound egress to ZIA, App Connector brokers ZPA access to your internal applications. Same Zscaler tenant, completely different traffic flows, both billed under the same SASE license.

End-to-end scenario walkthrough — Karthik's Azure landing zone

🎬 Karthik at TCS Bangalore — Azure hub-spoke for 3 BFSI tenants

Monday 09:00 IST. Karthik gets a brief: TCS-managed landing zone in Azure South India must serve 3 BFSI client tenants. Each tenant needs ZIA-inspected internet egress, isolated from the others, with autoscale to handle market-open traffic spikes at 09:15 IST. RTO < 5 minutes.

10:30. Karthik writes Terraform using zscaler/cloud-connector-modules/azurerm v1.7. Hub VNet hosts one shared CC VMSS with 2 instances min, 6 max, Standard_F4s_v2 across 3 availability zones. Each tenant's spoke VNet peers to the hub, default route via User Defined Route points at the CC load balancer.

11:45. terraform apply. 38 resources created in 7 minutes.

12:30. Karthik validates each tenant: curl ipinfo.io from a test VM in each tenant's spoke. All three show the Zscaler Mumbai egress IP — not Azure's default outbound. ZIA Insights show 3 distinct location tags (one per tenant, mapped to the spoke VNet name).

13:00. Tuesday market-open simulated. Traffic spikes to 1.4 Gbps. VMSS scales 2 → 5 instances in 90 seconds. Latency p95 stays under 35ms. Zero dropped sessions.

Wednesday 14:00. Karthik writes the change-record for the CISO. Three pages. One screenshot. Done.

Infographic 4 of 4 — Karthik's timeline · Terraform → live in 4 hours

The point: Terraform turns "weeks of console clicking" into "an afternoon of code review". Pin the module, version it, and your cloud-egress story stays reproducible.

Glossary — the words you'll hear on every Cloud Connector call

Cloud Connector (CC): Zscaler VM in your AWS/Azure/GCP/on-prem environment that forwards workload traffic to ZIA Service Edge. Distinct from Branch Connector (branch hardware) and App Connector (ZPA inbound).
GWLB (Gateway Load Balancer): AWS L3 transparent load balancer that uses GENEVE encapsulation to deliver flow-sticky traffic to backend appliances like CC. Makes inspection transparent to workloads.
GWLB Endpoint (GWLBe): VPC endpoint that exposes the GWLB across VPCs/accounts. Workload route tables point default at this endpoint.
Transit Gateway (TGW): AWS service that connects multiple VPCs (and on-prem via VPN/Direct Connect). Centralised routing hub. Pair with CC for the "Regional Hub" pattern.
VMSS (Virtual Machine Scale Set): Azure's autoscale group — multiple identical VMs managed as one. Used for CC HA on Azure.
Service Edge (ZTE): Zscaler datacentre POP that terminates tunnels and runs inspection. Indian closest: mum1.sme (Mumbai), maa1.sme (Chennai).
Regional Hub pattern (Part 1): Shared CC pool in a Zscaler VPC, all workload VPCs connect via TGW. Cost-efficient.
Isolated-VPC pattern (Part 2): CC pool per VPC, no TGW between data planes. Required for strict isolation (PCI, HIPAA).
Terraform modules: Official Zscaler-maintained Terraform modules on GitHub for AWS, Azure, GCP — they encode the right security groups, route tables, and instance types so you don't reinvent them.
n2-standard-2: GCP Compute instance type recommended by Zscaler for Cloud Connector — 2 vCPU, 8 GB RAM, balanced for cost/performance.
Asymmetric routing: When inbound and outbound traffic for the same flow take different paths. A common CC misconfiguration causes this — leads to RSTs.
VPC Ingress Routing: AWS feature letting you set route tables on the internet-gateway path, so inbound traffic can be steered differently than outbound. Fixes asymmetric routing with CC.

📋 Quick reference — print this before your interview

What it is: VM appliance in AWS / Azure / GCP that forwards cloud workload egress to ZIA Service Edge.
Versus Branch Connector: BC = branch hardware/VM. CC = cloud VM. Same ZIA target.
Versus App Connector: CC = north-south (egress). App Connector = south-north (ZPA inbound).
AWS pattern: GWLB + GWLB endpoints + Transit Gateway. Workload default route → GWLB endpoint.
Azure pattern: Standard Load Balancer + UDR + VMSS in hub-spoke VNet.
GCP pattern: n2-standard-2 instances + internal LB + GCP routes.
Deployment: Always Terraform — github.com/zscaler/terraform-aws-cloud-connector-modules (and azurerm/gcp equivalents).
Sizing AWS: c6i.large (~500 Mbps), c6i.xlarge (~1 Gbps), c6i.2xlarge (~2.5 Gbps). Always autoscale across ≥ 2 AZs.
Two patterns: Regional Hub (Part 1, shared CC, TGW) vs Isolated-VPC (Part 2, per-VPC CC, no TGW). Pick by isolation requirement.
First troubleshooting steps: CC admin portal status → VPC flow logs (verify GWLB endpoint hit) → ZIA Insights filter by CC location → check route tables on every workload subnet.
Top 3 failure modes: missed route table, security group blocking mgmt traffic (DTLS/53/123), asymmetric routing on inbound.

Sources cited:

Zscaler Help — What Is Zscaler Cloud Connector? (help.zscaler.com/cloud-branch-connector/what-zscaler-cloud-connector)
Zscaler Reference Architecture — Zero Trust Security for AWS Workloads with Zscaler Cloud Connector (PDF)
Zscaler Reference Architecture — Zero Trust Security for Azure Workloads + GCP Workloads (PDFs)
GitHub — zscaler/terraform-aws-cloud-connector-modules + terraform-azurerm-cloud-connector-modules + terraform-gcp-cloud-connector-modules
Zscaler Help — Troubleshooting Cloud Connector with GCP + with Azure + AWS
Zscaler Blog — Internet Egress Security Architecture for AWS Workloads — Part 1 Regional Hubs + Part 2 Isolated VPCs
Zscaler Community — App connector in Azure vs Cloud Connector thread (community.zscaler.com)
AWS Partner Network — Enhancing Workload Security on AWS with Zscaler Zero Trust Exchange
Zscaler-AWS Traffic Forwarding Deployment Guide (v2.2, May 2024) + Deployment Guide (v1.0, May 2025)

What's next?

You've completed the three-blog series Ram asked for: Branch Connector + Check Point + Cloud Connector. You can now defend a SASE migration story at a CISO whiteboard for any major Indian enterprise. Take the practice exam to lock the knowledge.

← Check Point Firewall ← Branch Connector Practice on exam.techclick.in

Zscaler Cloud Connector Securing AWS / Azure / GCP Workloads with ZIA