Manage Regions and IP Pools

Manage your organization's regions and IP address pools that are used to secure the request and response traffic of your remote access VPN profiles. When setting up a VPN profile, you choose the Secure Access region where your data center is located, which determines where the VPN traffic will be routed within the your network.

• A Secure Access region is a cluster of data centers in a specific geographic area, such as the Northeastern United States or Western Europe. It is a best practice to choose a region that is geographically close to users; this reduces latency because data reaches the users more quickly.
• An IP address pool is a sequential range of IP addresses within a certain network. You can have multiple pool configurations. VPN profiles require IP addressing pools in order to be fully-functional. In addition, control plane traffic such as RADIUS is sourced from the Secure Access IP address pools.

See the following topics for more information related to IP pools:

• Add an IP Pool
• Add a RADIUS Group (optional)

Table of Contents

• Prerequisites
• Procedure
  • Add a Region Configuration
  • Add a RADIUS Group (optional)

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.

Note: To prevent a possible network outage caused by server failure or connectivity issue, we recommend configuring at least two IP pool regions with the secondary region located as close to the primary IP pool region as geographically possible.
Ensure users have access in both regions by doubling the IP addresses in the region's pools. For example, if 20 users are expected in Region A and Region B serves as a failover for the same 20 users, your organization will need at least 40 IP addresses for seamless access.

Procedure

Add an IP pool that is used to manage a set of IP addresses for your VPN profile. Optionally, add a RADIUS group for VPN profiles.

(Zscaler)To set up Secure Access regions, navigate to the "Administration" section in the Secure Access dashboard, then go to "End User Connectivity" where you can add new locations by defining their names, geographic details (country, state), and IP address ranges, essentially creating different "regions" based on where your users are accessing the internet from; remember to associate appropriate security policies with each location to manage traffic based on region.

Add a Region Configuration

To add a region configuration, which includes managed IP pools, complete the following steps:

1. Navigate to Connect > End User Connectivity > Virtual Private Network.
2. For Set up VPN Profile, click Add IP pool to define IP pools that can be used to distribute IP addresses for remote access VPN profiles.

3. Define the Parameters required to Add a Region Configuration:

   1. Map the IP pool to an available Region.

   2. Add a meaningful Display name.

   3. Choose a pair of DNS Servers from the drop-down, or click Add to add a new DNS pair.

   4. For the System IP Pool add subnets needed for remote management access to the VPN headend. Supports ranges from /31 to /21. You can add add up to 5 comma-separated ranges. Subnets added here limit the total number of connections added through IP Pools section.

      

4. Scroll down and click Add IP pool to define the IP pools needed for the region configuration.

   1. Add a meaningful IP Pool name that identifies the pool for use with remote access VPN endpoint devices. Each endpoint will be assigned an IP address from a defined IP pools.

   2. Add IPv4 subnets needed for use with remote access VPN endpoints. Each endpoint will be assigned an IP address from the defined IP pool. Supports ranges from /28 to /16. You can add multiple comma-separated ranges.

   3. Add optional IPv6 subnets as needed for use with remote access VPN endpoints. Supports ranges from /124 to /112. You can add multiple comma-separated ranges.

      

5. Click Save when you are done.

---

Manage Virtual Private Networks < Manage Regions and IP Pools > Add an IP Pool